topic Re: Cisco ASA intervlan routing in Network Security

Cisco ASA intervlan routing

veerapandiyanrengasamy — Mon, 16 Oct 2023 20:20:24 GMT

Hello Cisco community,

Can i please have some ideas, how can i configure intervlan routing on cisco asa, i have shared my current config and diagram,

what can i added to complete the config for all the vlan to communicate each other, Any help would be highly appreciated 🙂 .

Best Regards,

Veera.

Cisco ASA:

ciscoasa(config)# sh run
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium II 1000 MHz
:
ASA Version 9.1(5)16
!
hostname ciscoasa

!
interface Ethernet0
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface Ethernet1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface Ethernet2
nameif outside
security-level 0
ip address 192.168.1.55 255.255.255.0

!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface Port-channel1.10
vlan 10
nameif vlan10
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Port-channel1.20
vlan 20
nameif vlan20
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Port-channel1.30
vlan 30
nameif vlan30
security-level 100
ip address 192.168.30.1 255.255.255.0
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network vlan10
subnet 192.168.10.0 255.255.255.0
object network vlan20
subnet 192.168.20.0 255.255.255.0
object network vlan30
subnet 192.168.30.0 255.255.255.0

!
object network vlan10
nat (vlan10,outside) dynamic interface
object network vlan20
nat (vlan20,outside) dynamic interface
object network vlan30
nat (vlan30,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

dhcpd address 192.168.10.5-192.168.10.100 vlan10
dhcpd dns 8.8.8.8 interface vlan10
dhcpd enable vlan10
!
dhcpd address 192.168.20.5-192.168.20.100 vlan20
dhcpd dns 8.8.8.8 interface vlan20
dhcpd enable vlan20
!
dhcpd address 192.168.30.5-192.168.30.100 vlan30
dhcpd dns 8.8.8.8 interface vlan30
dhcpd enable vlan30
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!

ciscoasa(config)#

Re: Cisco ASA intervlan routing

Marius Gunnerud — Mon, 16 Oct 2023 22:12:11 GMT

Are you able to ping the default gateway for each VLAN? If yes, then I would suggest verifying the default gateway configuration on the endpoint you are testing between.

Your configuration should allow inter-VLAN traffic, if this is a virtual environment test lab, then the issue might be in the virtualization and you might need to rebuild the setup.

Re: Cisco ASA intervlan routing

veerapandiyanrengasamy — Mon, 16 Oct 2023 22:18:40 GMT

Hello @Marius Gunnerud ,

thanks for your reply, yes i can able to ping default gateway of the each vlan(10,20,30) and also i can get to internet from all vlan, But i cant ping from one vlan to other vlan

Re: Cisco ASA intervlan routing

Marius Gunnerud — Mon, 16 Oct 2023 22:31:54 GMT

did you provide the full configuration from the ASA or did you leave something out? could you also provide the configuration of the switch?

Is this a virtual environment?

Re: Cisco ASA intervlan routing

veerapandiyanrengasamy — Wed, 18 Oct 2023 21:12:47 GMT

Hello @Marius Gunnerud , Thanks for your input on this, Your help much appreciated.

I have provide all the ASA configuration above,

this is switch configuration, by the way this is GNS3 lab

IOU1#sh run
Building configuration...

Current configuration : 2242 bytes
!
! Last configuration change at 20:36:59 UTC Wed Oct 18 2023
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname IOU1
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
!
no aaa new-model
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
no ip domain-lookup
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface Ethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface Ethernet0/2
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface Ethernet0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast edge
!
interface Ethernet1/0
switchport access vlan 30
switchport mode access
spanning-tree portfast edge
!
interface Ethernet1/1
switchport access vlan 10
switchport mode access
spanning-tree portfast edge
!
interface Ethernet1/2
!
interface Ethernet1/3
!
interface Ethernet2/0
!
interface Ethernet2/1
!
interface Ethernet2/2
!
interface Ethernet2/3
!
interface Ethernet3/0
!
interface Ethernet3/1
!
interface Ethernet3/2
!
interface Ethernet3/3
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
!
!
router eigrp 1
network 0.0.0.0
!
ip forward-protocol nd
!
ip tcp synwait-time 5
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
!
end

Re: Cisco ASA intervlan routing

Marius Gunnerud — Thu, 19 Oct 2023 08:04:53 GMT

First off, remove the VLAN interfaces on the switch for VLAN 10, 20, 30 so to remove any possibility for the switch to do inter-VLAN routing, and make sure the client machines are configured with relevant firewall IP as default gateway.

If this does not solve the issue, then I suggest backup the configuration on both firewall and switch, delete them from GNS3 and then add them back. I have experienced with GNS3 previously that the virtual emulation of the devices messes with switching of traffic.

Re: Cisco ASA intervlan routing

MHM Cisco World — Thu, 19 Oct 2023 08:15:35 GMT

Make sure that you use gw (IP of vlan of FW) in each host.