One VLAN is not able to access the internet.

I have one VLAN, VLAN20 (Voice) that is not able to access the internet.

A former MSP configured this and I am not sure how this is working. The trunk port is setup as an access port for VLAN255 (Management Network) and that it.

 I will upload the running config for the ASA as well as the C3560G as well as a hand drawn diagram of the environment.

In the Layer 3 switch, the default route is 0.0.0.0 0.0.0.0 10.152.255.1

Please let me know if you need anything other than the running-configs and the diagram.
John ChumaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RoohAllah GodazgarIT ConsultantCommented:
Dear John,
Please provide a map from your network. This is very important to know how do you connect your network to the internet. Please check these items:
1- Since you are using ASA, you should check your NAT.
2- Also since you are using Cisco devices in your network, you may want to check ACLs as well on all of your devices.
Depending on your scenario, there are several items that cause this issue.
John ChumaAuthor Commented:
Please see attached running configs and network map.

The phone server on VLAN20 is handing out DHCP. The gateway for VLAN20 is 10.8.110.1, which is a router that I do not have control over. IO was told the default route on that devices goes to 192.168.1.254.

Map_Configs.zip
JustInCaseCommented:
You are missing, at least, route for network 10.8.110/24 (Voice) on ASA :
route inside 10.8.110.0 255.255.255.0 10.152.255.2 1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

RoohAllah GodazgarIT ConsultantCommented:
As Predrag said, you're missing a route. But before you add that route, you should secure your Voice vLAN and make sure that this is what you really want, because according to your configurations, it seems to be a new decision.
Also according to your ACLs and NATs, it seems that your 2nd location has different IP addresses. I'm not sure but it seems that 172.18.2.0/24 is the default vLAN and 172.18.108.0/24 is the voice vLAN on the other side; so you may want to activate that NAT which you wasn't sure about.
access-list MainSite-L2L-RemoteSite extended permit ip 192.168.1.0 255.255.255.0 172.18.2.0 255.255.255.0
access-list MainSite-L2L-RemoteSite extended permit ip 10.8.110.0 255.255.255.0 172.18.108.0 255.255.255.0
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-172.18.2.0 obj-172.18.2.0
nat (inside,outside) source static obj-10.8.110.0 obj-10.8.110.0 destination static obj-172.18.108.0 obj-172.18.108.0 inactive ***Did not work when on, not sure what this IP is)
John ChumaAuthor Commented:
Thank you PreDrag and RoohAllah!

I am still trying to figure out how/why this network was setup this way.

The 172.18.2.0/24 is a remote location's data network as they need access to a share on the server. There is a separate phone network there, but the guys who handle the phones mentioned they didn't know what 172.18.108.0/24 is.

The original IP range for VLAN20 was 10.8.110.0/24 and were able to have their voice messages set to email (this is all that needs to happen). For some reason, their old MSP decided to change that IP range to 10.152.200.0/24 (I realized why they did this just now.... the route statement of 10.152.0.0 255.255.0.0 10.152.255.2 1). The site needed to revert back to 10.8.110.0/24 as that was the IP range assigned to this site for 3 digit dialing.

Once VLAN20 was re-iped, the voice mail to email piece was broken and they really liked that feature. Everything is setup in the phone server to send the email via O365. I understand the security piece. If I wanted to only have the phone server communicate with O365, could I use the following route statement in the ASA: "route inside 10.8.110.5 255.255.255.255 10.152.255.2 1"?

Please let me know and thank you for your guidance!
RoohAllah GodazgarIT ConsultantCommented:
You may use that route but this route will send your packets out to your GW and its not related to your main concern about sending voice mails via email. This is a L7 (application layer) perspective and you should check your voice server (VoIP ?) and O365 configurations.
I'm assuming that your O365 server is not local; so to connect your VoIP to it, you should use a valid IP (IPs that assign to your WAN). Now you can use NAT to transfer designated request to your internal network. But before that, you must understand that how this scenario was working and set it up again with your new IP plan.
John ChumaAuthor Commented:
Sorry for not updating you guys sooner.

I added in the route and everything is good.

Thank you for your help!
JustInCaseCommented:
You're welcome.
RoohAllah GodazgarIT ConsultantCommented:
My pleasure
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.