topic Re: ASA 5506-X redundant subinterfaces not communicate with each other in Network Security

ASA 5506-X redundant subinterfaces not communicate with each other

riccardodem — Thu, 12 May 2022 15:14:06 GMT

Hi all, as per the attached configuration the subinterfaces (e.g vlan101 and vlan105) are not communicating with each other, But they regularly go on Internet. What is wrong in the attached configuration?

Re: ASA 5506-X redundant subinterfaces not communicate with each other

Rob Ingram — Thu, 12 May 2022 15:26:28 GMT

@riccardodem configure some NAT exemption rules, your traffic between the VLANS is probably being unintentially translated.

Re: ASA 5506-X redundant subinterfaces not communicate with each other

riccardodem — Thu, 12 May 2022 15:43:27 GMT

thanks Rob...any documentation about NAT exemption rules cofiguration?

Re: ASA 5506-X redundant subinterfaces not communicate with each other

MHM Cisco World — Thu, 12 May 2022 15:50:14 GMT

From this post and your previous post, You have two Internet and you want to use it for Anyconnect if I am right ?

https://www.cisco.com/c/en/us/td/docs/security/asa/misc/anyconnect-faq/anyconnect-faq.html

check this doc. it help you in your design.

Re: ASA 5506-X redundant subinterfaces not communicate with each other

riccardodem — Thu, 12 May 2022 15:55:44 GMT

Only one WAN internet connection on port GigabitEthernet0/0. Multiple vlans (subinterfaces) on redundant interfaces, must be natted to WAN and comunicate with each other.

Re: ASA 5506-X redundant subinterfaces not communicate with each other

Rob Ingram — Thu, 12 May 2022 16:11:51 GMT

@riccardodem example

https://integratingit.wordpress.com/2022/01/16/asa-nat-exemption/

Re: ASA 5506-X redundant subinterfaces not communicate with each other

MHM Cisco World — Thu, 12 May 2022 16:12:08 GMT

Sub interface INSIDE ?
you config bridge group and then assign IP to VLAN ??
the FW either work as Brdige or as router.

Re: ASA 5506-X redundant subinterfaces not communicate with each other

riccardodem — Fri, 13 May 2022 07:36:59 GMT

I tried without solving to put eg. network vlan104 and vlan105 in communication with these commands:

nat (vlan105,vlan104) source static vlan105 vlan105 destination static vlan104 vlan104

nat (vlan104,vlan105) source static vlan104 vlan104 destination static vlan105 vlan105

Trying to ping from vlan105 to vlan104:

5 (vlan105) to (vlan104) source static vlan105 vlan105 destination static vlan104 vlan104
translate_hits = 4, untranslate_hits = 4
6 (vlan104) to (vlan105) source static vlan104 vlan104 destination static vlan105 vlan105
translate_hits = 0, untranslate_hits = 0

this is the output of sh nat detail:

Manual NAT Policies (Section 1)
1 (vlan101) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.178.2/24
2 (vlan102) to (outside) source dynamic any interface
translate_hits = 10451, untranslate_hits = 8647
Source - Origin: 0.0.0.0/0, Translated: 192.168.178.2/24
3 (vlan103) to (outside) source dynamic any interface
translate_hits = 41, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.178.2/24
4 (vlan104) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.178.2/24
5 (vlan105) to (vlan104) source static vlan105 vlan105 destination static vlan104 vlan104
translate_hits = 5, untranslate_hits = 5
Source - Origin: 192.168.10.0/24, Translated: 192.168.10.0/24
Destination - Origin: 192.168.6.192/27, Translated: 192.168.6.192/27
6 (vlan104) to (vlan105) source static vlan104 vlan104 destination static vlan105 vlan105
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.6.192/27, Translated: 192.168.6.192/27
Destination - Origin: 192.168.10.0/24, Translated: 192.168.10.0/24
7 (vlan105) to (outside) source dynamic any interface
translate_hits = 12, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.178.2/24

thanks in advance for the help

Re: ASA 5506-X redundant subinterfaces not communicate with each other

riccardodem — Fri, 13 May 2022 07:41:30 GMT

yes, Asa act also as a router (nat-dhcp-routing):
on gi1/1 WAN to ISP router
on gi1/7 and 1/8 reduntant interface to 2 Cisco switch with 5 vlans (subintefaces)

Re: ASA 5506-X redundant subinterfaces not communicate with each other

Rob Ingram — Fri, 13 May 2022 08:20:19 GMT

@riccardodem how are you testing exactly?

Run packet-tracer from the CLI and provide the full output for review

packet-tracert input vlan105 tcp 192.168.10.5 3000 192.168.6.224 80 detail

You should also remove the other dynamic nat rules to section 2 (auto nat).

FYI, You only need one NAT rule to add, not 2. The NAT is bi-directional.

Re: ASA 5506-X redundant subinterfaces not communicate with each other

riccardodem — Fri, 13 May 2022 08:43:24 GMT

I was mistakenly trying to ping from a host on the vlan105 network the gateway of vlan104 with this result

ASA-HLSDN# packet-tracer input vlan105 tcp 192.168.10.50 3000 192.168.6.222 80

Result:
input-interface: vlan105
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

it works instead pinging from host of vlan105 to host of vlan104, I will do more tests by removing nat exception to see if the situation changes

packet-tracer command is very usefull!
thanks

Re: ASA 5506-X redundant subinterfaces not communicate with each other

Rob Ingram — Fri, 13 May 2022 08:48:14 GMT

@riccardodem that's because you can only ping the local ASA interface, not ping through the ASA to a far interface IP address.

FYI, you test connectivity be sending traffic through the ASA....you obviously need the NAT rules configured correctly to ensure you aren't unintentially translating.