Cisco ASA 5512X – No Internet Connection Across VLANs

cisco-asasubnetvlan

First time doing a network, I'm a software guy normally.
I am setting up a network to share and internet connections to multiple properties.
The goal is to segment each property onto its own VLAN.

I have a gateway with IP 192.168.1.254/24 that I can use to get to the internet.
There is a Cisco ASA 5512X connected on the first port (with IP 192.168.1.253/24). Its IP is from a DHCP reservation. For all the sub-nets, this ASA acts as the DHCP server.
The next port on the ASA is connected to an HP A5820X switch. The ports have been configured for the needed VLANs.

The switch has a trunk port with a Cisco Mobility Express WiFi AP who hosts a few WLANs.

I have IPs being handed out properly, but my VLANs cannot reach the internet.
I see the ASA being hit, and messages like "Built outbound UDP connection…" but the clients on these sub-nets cannot reach the internet.

A rough diagram of the network:

ASA Version 9.1(2) 
!
hostname firewall
domain-name revenance.us
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 9eeFjmhLBXqRF2up encrypted
names
!
interface GigabitEthernet0/0
 description Gateway Access
 nameif outside
 security-level 0
 ip address dhcp setroute 
 dhcprelay server 192.168.1.254
!
interface GigabitEthernet0/1
 description Inside Trunk Interface
 flowcontrol send on
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
interface GigabitEthernet0/1.1
 description Default VLAN1 (for HP Switch)
 vlan 1
 nameif Default-VLAN
 security-level 100
 ip address 10.0.1.1 255.255.255.0 
!
interface GigabitEthernet0/1.2
 description 9831 datacentre VLAN
 vlan 2
 nameif 9831-DC-VLAN
 security-level 10
 ip address 10.0.2.1 255.255.255.0 
!
interface GigabitEthernet0/1.18
 description 9818 LAN Segment
 shutdown
 vlan 18
 nameif 9818-VLAN
 security-level 100
 ip address 10.0.18.1 255.255.255.0 
!
interface GigabitEthernet0/1.31
 description 9831 LAN Segment
 vlan 31
 nameif 9831-VLAN
 security-level 100
 ip address 10.0.31.1 255.255.255.0 
!
interface GigabitEthernet0/1.34
 description 9834 LAN Segment
 vlan 34
 nameif 9834-VLAN
 security-level 100
 ip address 10.0.34.1 255.255.255.0 
!
interface GigabitEthernet0/1.35
 description 9835 LAN Segment
 shutdown
 vlan 35
 nameif 9835-VLAN
 security-level 100
 ip address 10.0.35.1 255.255.255.0 
!
interface GigabitEthernet0/1.75
 description 9875 LAN Segment
 shutdown
 vlan 75
 nameif 9875-VLAN
 security-level 100
 ip address 10.0.75.1 255.255.255.0 
!
banner exec Please be sure to save any changes with write.
banner login Connected to Cisco ASA - $(hostname)
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name revenance.us
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network A_
object network revenance.us
 fqdn v4 revenance.us
object network ISP_Gateway
 host 192.168.1.254
 description AT&T Gateway
object network Gateway-Network
 subnet 192.168.1.0 255.255.255.0
object-group network Inside-Networks
 network-object 10.0.0.0 255.255.255.0
 network-object 10.0.1.0 255.255.255.0
 network-object 10.0.18.0 255.255.255.0
 network-object 10.0.2.0 255.255.255.0
 network-object 10.0.31.0 255.255.255.0
 network-object 10.0.34.0 255.255.255.0
 network-object 10.0.35.0 255.255.255.0
 network-object 10.0.75.0 255.255.255.0
access-list outside_access_in remark Allow all to DC
access-list outside_access_in extended permit ip interface outside 10.0.2.0 255.255.255.0 
access-list inside_access_out extended permit ip any any 
access-list global_access extended permit ip any any 
access-list global_access extended permit ip object-group Inside-Networks object Gateway-Network 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu 9831-DC-VLAN 1500
mtu 9818-VLAN 1500
mtu 9831-VLAN 1500
mtu 9834-VLAN 1500
mtu 9835-VLAN 1500
mtu 9875-VLAN 1500
mtu Default-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
no user-identity action mac-address-mismatch remove-user-ip
http server enable
http 192.168.1.0 255.255.255.0 outside
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd domain revenance.us
dhcpd auto_config outside
!
dhcpd address 10.0.0.10-10.0.0.250 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
dhcpd auto_config outside interface 9831-DC-VLAN
!
dhcpd address 10.0.18.10-10.0.18.250 9818-VLAN
dhcpd auto_config outside interface 9818-VLAN
dhcpd enable 9818-VLAN
!
dhcpd address 10.0.31.10-10.0.31.250 9831-VLAN
dhcpd auto_config outside interface 9831-VLAN
dhcpd enable 9831-VLAN
!
dhcpd address 10.0.1.10-10.0.1.250 Default-VLAN
dhcpd auto_config outside interface Default-VLAN
dhcpd enable Default-VLAN
!
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username sinman password uXtx7p2Ftlk.2ajD encrypted
!
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
!
prompt hostname state context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 28
  subscribe-to-alert-group configuration periodic monthly 28
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2979836264ef9f78dba4a6f01c759115
: end

Best Answer

Your access lists are totally wrong. outside_access_in only allows the outside interface's address -- which will never be the source for inbound traffic -- through, to an internal network; and it won't work anyway as traffic does not flow from lower to higher security levels. The global access only allows inside networks to talk to the gateway network. Until you fully understand the role of a global access rule, don't use one. Use the packet-tracer command to see the effects of your configuration -- acl's, nat's, etc.

And then there's the issue of NAT. The external AT&T (Uverse?) gateway doesn't know anything about those internal networks. And as they're 10.x, it can't -- 10/8 is invalid/reserved within the uverse network. You don't want to be exposing the internal networks anyway. (I don't recall there being anything in the limited GUI to add routes.)

Also, it's odd to have ip configured on the base interface for a trunk. What vlan does that traffic belong to? (whatever the external switch has set for the native vlan - if any.)

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Vlan – Setting up PIM Sparse mode

My questions are:

Should we setup on our core network switch OSPF with a router ID of 1.1.1.1 and then not set any OSPF settings on any other switch?

OSPF is not necessary for this implementation.

Would PIM Sparse Mode only need to be enabled on the core switches or on all of the switches in the network?

Pim-SM needs to be enabled on each L3 interface on which you want to allow the multicast traffic. For example, if you wish to contain the traffic to Vlans 15 and 14, you would have to do the following on your core:

configure
ip multicast
ip igmp
ip pim sparse
interface vlan 14
ip igmp
ip pim
interface vlan 15
ip igmp
ip pim
exit

If you want the traffic to traverse all Vlans, then you will need the appropriate interface configuration under each Vlan. Your L2 switches will need IGMP snooping turned on (ideally on all interfaces via the global configuration).

configure
ip igmp snooping 
bridge multicast filtering

For a very basic multicast setup like this, these should be the only features that you would need.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Vlan – Setting up PIM Sparse mode

Related Topic