topic Outside Vlan & inside Vlan ASA5510 in Network Security

Outside Vlan & inside Vlan ASA5510

j_j624001 — Tue, 12 Mar 2019 07:59:03 GMT

Having a few problems with my outside vlan 5 and inside vlan 10; my outside vlan are all pingable; but when i try to ping from the or switch my inside vlan10 gateway its unpingable to inside gateway. I have two route setup on the ASA5510 firewall; one for my outside network default 0.0.0.0 0.0.0.0 Outside and i have another to allow my internal vlans to reach the outside network 10.0.0.0 255.0.0.0 Outside. I don't what else can be blocking ping access to my internal gateway; all of my acl are allowing traffic. Does any else have this problem where your outside network are pingable but your internal network is not pingable to the gateway; Could it be a switch port on the switch or could it be the router ??

Please if any have some suggestions feel free

thanks

Hi

Francesco Molino — Mon, 04 Jul 2016 03:39:24 GMT

I would be happy to help however I'll need your asa config and switch config. Please attach a little drawing to indicate which switch port is inside.

Your issue could be asa (sub-interfaces, Same-security-traffic,..) or switch (trunk, access) configuration or acl as well.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Hello;

j_j624001 — Mon, 04 Jul 2016 03:51:56 GMT

Hello;

Thanks for the response; ive been struggling too long on this lol; here is my config you requested; excuse the drawing i tried my best lol

ASA Config

Result of the command: "show ru"

: Saved
:
ASA Version 8.2(3)
!
hostname JFW
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.10.0.1 Inside
name 10.85.85.1 Outside
!
interface Ethernet0/0
nameif Outside_Network
security-level 0
ip address 10.85.85.2 255.255.255.0
!
interface Ethernet0/1
nameif Inside_Network
security-level 100
ip address 10.10.0.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif TEST
security-level 100
ip address dhcp
!
banner login 1
banner login WELCOME TO THE DEAD ZONE !!!!
banner login WELCOME TO J-WALL !!!
banner motd LEARN HOW TO BLOCK OUTSIDE TRAFFIC !!!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside_Network
dns server-group DefaultDNS
name-server 10.10.15.4
name-server 10.10.15.5
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object 10.10.0.0 255.255.255.0
network-object host Outside
object-group network DM_INLINE_NETWORK_2
network-object host Inside
network-object 0.0.0.0 0.0.0.0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list Outside_Network_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host Outside object-group DM_INLINE_NETWORK_2 log debugging
access-list Inside_Network_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host Inside object-group DM_INLINE_NETWORK_1 log debugging
access-list TEST_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any
pager lines 24
logging enable
logging timestamp
logging emblem
logging asdm-buffer-size 512
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm debugging
logging debug-trace
mtu Outside_Network 1500
mtu Inside_Network 1500
mtu TEST 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group Outside_Network_access_in in interface Outside_Network
access-group Inside_Network_access_in in interface Inside_Network
access-group TEST_access_in in interface TEST
route Outside_Network 0.0.0.0 0.0.0.0 Outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 TEST
http 10.10.0.0 255.255.255.0 Inside_Network
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound interface TEST
no service resetoutbound interface Outside_Network
no service resetoutbound interface Inside_Network
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh scopy enable
ssh 10.10.0.0 255.255.255.0 Inside_Network
ssh timeout 30
console timeout 0
dhcpd address 10.10.0.85-10.10.0.100 Inside_Network
dhcpd dns 10.10.15.4 10.10.15.5 interface Inside_Network
dhcpd option 3 ip Inside interface Inside_Network
dhcpd option 6 ip 10.10.15.4 10.10.15.5 interface Inside_Network
dhcpd enable Inside_Network
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username JEJ password cX0yeH.p3WpM25f0 encrypted privilege 15
!
class-map type inspect http match-all asdm_high_security_methods
match not request method get
match not request method head
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
id-randomization
id-mismatch action log
tsig enforced action log
policy-map type inspect ftp FTP
parameters
mask-banner
mask-syst-reply
policy-map type inspect netbios NETBIOS
parameters
protocol-violation action drop log
policy-map type inspect ip-options Options
parameters
eool action clear
nop action clear
router-alert action clear
policy-map type inspect http HTTP
parameters
protocol-violation action drop-connection log
class asdm_high_security_methods
drop-connection
match request header non-ascii
drop-connection
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6e49ea09880a8584795ecc8bccb8cc85
: end

Here is my switch config

SW#s
Building configuration...

Current configuration : 5624 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SW
!
!
no aaa new-model
clock timezone EST 4 1
switch 1 provision ws-c3750e-24td
system mtu routing 1500
ip subnet-zero
ip icmp redirect host
no ip domain-lookup
ip domain-name IN_Switch.com
ip name-server 10.10.15.4
ip name-server 10.10.15.5
!
ip port-map dns port 53
ip port-map smtp port 161
ip port-map pop2 port 109
ip port-map pop3 port 110
ip port-map nntp port 119
ip port-map ldap port 389
ip port-map imap port 143
ip port-map nfs port 944
ip dhcp-server 10.10.0.1
ip dhcp-server 10.10.20.1
ip dhcp-server 10.10.25.1
!
password encryption aes

spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip tcp selective-ack
ip tcp timestamp
ip tcp queuemax 50
ip tcp path-mtu-discovery
!
interface FastEthernet0
no ip address
no ip route-cache
no ip mroute-cache
!
interface GigabitEthernet1/0/1
description Outside R1 - SW
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/2
description Outside FW - SW
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/3
description Inside Network FW
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,15,20,25
switchport mode trunk
!
interface GigabitEthernet1/0/4
description **************
!
interface GigabitEthernet1/0/5
description Servers
switchport access vlan 15
switchport mode access

interface GigabitEthernet1/0/6
description Servers
switchport access vlan 15
switchport mode access
!
interface GigabitEthernet1/0/7
description Inside
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/8
description Inside
switchport access vlan 10
switchport mode access

interface GigabitEthernet1/0/13
description Backups
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/14
description Backups
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/15
description Storage
switchport access vlan 25
switchport mode access
!
interface GigabitEthernet1/0/16
description Storage
switchport access vlan 25
switchport mode access
!
interface GigabitEthernet1/0/17
description Storage
switchport access vlan 25
switchport mode access

interface Vlan5
ip address 10.85.85.3 255.255.255.0
ip helper-address 10.85.85.1
arp snap
spanning-tree portfast
!
interface Vlan10
ip address 10.10.0.3 255.255.255.0
ip helper-address 10.10.0.1
arp snap
spanning-tree portfast
!
interface Vlan15
ip address 10.10.15.3 255.255.255.0
ip helper-address 10.10.15.1
no ip route-cache
no ip mroute-cache
arp snap
spanning-tree portfast
!
interface Vlan20
ip address 10.10.20.3 255.255.255.0
ip helper-address 10.10.20.1
no ip route-cache
no ip mroute-cache
arp snap
spanning-tree portfast
!
interface Vlan25
ip address 10.10.25.3 255.255.255.0
ip helper-address 10.10.25.1
no ip route-cache
no ip mroute-cache
arp snap
spanning-tree portfast

ip default-gateway 10.85.85.1
no ip classless
no ip http server

Hi

Francesco Molino — Mon, 04 Jul 2016 12:49:29 GMT

Form your switch vlan 10, are you able to ping your FW inside (10.10.0.2)?

To reach other vlans from your firewall:

1. You have configured trunk from your switch to your firewall then you need to adapt your ASA config

2. OR you leave it with 1 vlan and do a route inside on your firewall pointing to your SW vlan 10 as next-hop for all other vlans.

If you want to keep trunking, the ASA config would be:

interface Ethernet0/1.10

vlan 10

nameif Inside_Network
security-level 100
ip address 10.10.0.2 255.255.255.0

interface Ethernet0/1.15

vlan 15

nameif Inside_Network_2
security-level 100
ip address 10.10.15.2 255.255.255.0

Hope this is clear.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Hello;

j_j624001 — Mon, 04 Jul 2016 15:18:44 GMT

Hello;

From the switch i can ping to the FW (10.10.0.2)

SW#ping 10.10.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

Also from the firewall i can ping back to the switch (Vlan 10 10.10.0.3)

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

But from pinging from the switch and/or Firewall to the Vlan10 gateway is where i have the problem, even from my firewall can't ping vlan 10 gateway

SW#ping 10.10.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

this is from the firewall gui

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to Inside, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5) (10.10.0.1 Vlan 10 gateway)

if you can see on the switch config i have a trunk port from the firewall to the switch

description Inside Network FW <----- FW to Switch
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,15,20,25
switchport mode trunk

So your saying have ethernet0/1 empty and create an subnet underneath ethernet0/1 to ethernet0/1.10 for my internal vlans; and also how would I configure an route; would it be 10.10.0.0 255.255.0.0 10.10.0.3 <---- would the inside route look like this; I'm rarely new to this routing stuff lol. I would like to keep the trunk and have all traffic stop by my firewall first; it seems like all my internal vlans gateway i can't ping from the firewall or switch.

Ok wait a minute. Let's

Francesco Molino — Mon, 04 Jul 2016 16:50:06 GMT

Ok wait a minute. Let's forgot about the trunk configuration now. Let's concentrate on your problem.

The switch vlan 10 ip is 10.10.0.3 and you can't reach 10.10.0.1. Who is this 10.10.0.1? You said your default gateway... It's the switch your default gateway? Where this device is connected to?

Do you see a show ip arp entry for that 10.10.0.1 device?

Thanks

Hello;

j_j624001 — Mon, 04 Jul 2016 18:24:33 GMT

Hello;

10.10.0.1 is my default gw from vlan 10 off my router; on my router i have 4 subinterfaces; here is my router config

hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.1 10.10.0.84
ip dhcp excluded-address 10.10.0.101 10.10.0.255
ip dhcp excluded-address 10.10.20.1 10.10.20.84
ip dhcp excluded-address 10.10.20.101 10.10.20.255
ip dhcp excluded-address 10.10.25.101 10.10.25.255
ip dhcp excluded-address 10.10.25.1 10.10.25.84
!
ip dhcp pool 10_Net_POOL
   import all
   network 10.10.0.0 255.255.255.0
   update dns
   default-router 10.10.0.1
   domain-name Internal_Net.com
   dns-server 10.10.15.4 10.10.15.5
   update arp
!
ip dhcp pool 20_NET_POOL
   import all
   network 10.10.20.0 255.255.255.0
   update dns
   default-router 10.10.20.1
   domain-name Backup_Internal_Net.com
   dns-server 10.10.15.4 10.10.15.5
   update arp
!
ip dhcp pool 25_NET_POOL
   import all
   network 10.10.25.0 255.255.255.0
   update dns
   default-router 10.10.25.1
   domain-name Storage_Internal_Net.com
   dns-server 10.10.15.4 10.10.15.5
   update arp
!
!
ip domain name Internal.com
ip ssh source-interface FastEthernet1
ip ssh logging events
ip ssh version 2
!
!
!
username JEJ privilege 15 secret 5 $1$jyg2$ZDr0KASZP.8CbSZyBdIw61
!
!
!
!
!
!
interface FastEthernet0
description OUT
ip address 192.168.0.85 255.255.255.0
ip access-group filter-inbond in
ip access-group filter-outbond out
ip nat outside
ip irdp
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description Internal
ip address 10.85.85.1 255.255.255.0
ip nat outside
ip irdp
ip virtual-reassembly
duplex auto
speed auto
no snmp trap link-status
!
interface FastEthernet1.10
description Clients
encapsulation dot1Q 10
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip irdp
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet1.15
description Servers
encapsulation dot1Q 15
ip address 10.10.15.1 255.255.255.0
ip nat inside
ip irdp
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet1.20
description Backup
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip irdp
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet1.25
description Storage
encapsulation dot1Q 25
ip address 10.10.25.1 255.255.255.0
ip nat inside
ip irdp
ip virtual-reassembly
no snmp trap link-status
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 192.168.0.X
!
!
no ip http server
no ip http secure-server
ip nat inside source list 50 interface FastEthernet0 overload
!
ip access-list extended filter-inbond
permit icmp any any echo-reply
permit tcp any eq www any established
permit tcp any eq 443 any established
permit tcp any eq 8080 any established
permit udp any eq domain any
deny   ip any any
deny   udp any any
deny   tcp any any
ip access-list extended filter-outbond
permit icmp any any echo
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8080
deny   ip any any
deny   tcp any any
deny   udp any any
!
access-list 40 permit 0.0.0.0 255.0.0.0
access-list 50 permit 0.0.0.0 255.0.0.0

from Switch arp table

SW#sarp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 10.10.0.1             209   0026.cb6e.da17 ARPA   Vlan10 <----- this is the gw for vlan10; but its pointing to the wrong mac address; (FW Mac 0026.cb6e.da17, its supposed to be my R1 mac address 001e.7aa1.8ca7)
Internet 10.10.0.2             130   0026.cb6e.da17 ARPA   Vlan10
Internet 10.10.0.3               -   0026.0a7c.01c2 ARPA   Vlan10

Internet 10.85.85.1              0   001e.7aa1.8ca7 ARPA   Vlan5
Internet 10.85.85.2            139   0026.cb6e.da16 ARPA   Vlan5
Internet 10.85.85.3              -   0026.0a7c.01c1 ARPA   Vlan5
Internet 10.10.15.3              -   0026.0a7c.01c3 ARPA   Vlan15
Internet 10.10.20.3              -   0026.0a7c.01c4 ARPA   Vlan20
Internet 10.10.25.3              -   0026.0a7c.01c5 ARPA   Vlan25

My switch default gw is 10.85.85.1

my R1 is connect directly to the switch on vlan5 on SW FA0/1

Please see drawing for confirmation

Ok I understand. It would be

Francesco Molino — Mon, 04 Jul 2016 18:36:27 GMT

Ok I understand. It would be better in this design to put your asa in transparent mode.

I'm at work right now. I will paste a config example this evening

Ok; thats fine; ill be up

j_j624001 — Mon, 04 Jul 2016 19:45:06 GMT

Ok; thats fine; ill be up here; i just want traffic to hit my firewall first before heading to my router; i never thought about transparent mode; but hopefully it will work so all traffic will pass thru the firewall first. Thanks for your help

Hi

Francesco Molino — Mon, 04 Jul 2016 22:28:47 GMT

as promise, here as a sample config with ASA as transparent. I've created acls with permit any any as it's a lab. You need to open everything to test and then build up your own acls.

On my design ASA e0 is GigabitEthernet 0 and e1 is GigabitEthernet 1.

I've attached all configs.

Another thing, be careful with inspect as you can have asymmetric traffic (e.g: If you try a ping from VLAN10 on my R2 design to VLAN20 on my R1 design, if you are doing icmp inspection, it will failed.) You can use tcp-bypass feature to eliminate the stateful. But this is config tweaks.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question.

Hello;

j_j624001 — Mon, 04 Jul 2016 22:57:51 GMT

Hello;

Thanks again for the response; what ill do is take my config and modify it to what you have in your previous response; and paste what i got; i want to make sure on what you requested is correct before i implemented this change

So First is my router after it has been modified; does this look correct to you

Building configuration...

Current configuration : 4436 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname R1

boot-start-marker

boot-end-marker

no aaa new-model

resource policy

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.0.1 10.10.0.84

ip dhcp excluded-address 10.10.0.101 10.10.0.255

ip dhcp excluded-address 10.10.20.1 10.10.20.84

ip dhcp excluded-address 10.10.20.101 10.10.20.255

ip dhcp excluded-address 10.10.25.101 10.10.25.255

ip dhcp excluded-address 10.10.25.1 10.10.25.84

ip dhcp pool 10_Net_POOL

import all

network 10.10.0.3 255.255.255.0

update dns

default-router 10.10.0.3

domain-name J_Internal_Net.com

dns-server 10.10.15.4 10.10.15.5

update arp

ip dhcp pool 20_NET_POOL

import all

network 10.10.20.0 255.255.255.0

update dns

default-router 10.10.20.3

domain-name Backup_Internal_Net.com

dns-server 10.10.15.4 10.10.15.5

update arp

ip dhcp pool 25_NET_POOL

import all

network 10.10.25.0 255.255.255.0

update dns

default-router 10.10.25.3

domain-name Storage_Internal_Net.com

dns-server 10.10.15.4 10.10.15.5

update arp

no ip domain lookup

ip tcp synwait-time 5

multilink bundle-name authenticated

ip ssh logging events

ip ssh version 2

Don't copy my router config

Francesco Molino — Mon, 04 Jul 2016 23:23:47 GMT

Don't copy my router config (delete the loopback 0). I've past the config just to show the vlan id you need to use on both end devices: router and switch.

the most important is the firewall. You need to convert it in transparent mode by using the command firewall transparent.

My router configs is just for example, don't copy anything from there. The goal is to show you that vlans id are different on both side.

thanks

Lmao; ok ok my fault no

j_j624001 — Mon, 04 Jul 2016 23:27:55 GMT

Lmao; ok ok my fault no worries; i see what you mean just need to focus on the firewall and switch when converting it an transparent mode.. whats the advantage of converting it transparent instead of route mode ???

You need to concentrate on

Francesco Molino — Mon, 04 Jul 2016 23:34:10 GMT

You need to concentrate on configs and adapt it on your devices. Example: you will see that vlan 10 is used in inside but on outside (firewall + router) vlan id used is 110.

For what you want to achieve with your design you need to it in transparent. If you move forward with routed, you need to change your design otherwise it will not work.

Thanks

PS: Please don't forget to rate and mark as correct answer

ok; i see what you mean; i

j_j624001 — Mon, 04 Jul 2016 23:54:25 GMT

ok; i see what you mean; i will see what i can do when i get home

Thanks for the help; if i have any ? or trouble i'll reply to the latest post in this discussion

Thanks

Hello;

j_j624001 — Wed, 06 Jul 2016 00:44:12 GMT

Hello;

I just implemented new config on firewall; can you take a look at my config; to make sure it correct or could be better; so far im reaching traffic from IN and Out; i haven't implemented any changes on the switch side.

Result of the command: "show run"

: Saved
:
ASA Version 8.2(3)
!
firewall transparent
hostname JFW
enable password hE3tTzx4XvGURupW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description OUT
nameif OUT
security-level 0
!
interface Ethernet0/0.110
description Client-Out
vlan 110
no nameif
no security-level
!
interface Ethernet0/1
description IN
nameif IN
security-level 100
!
interface Ethernet0/1.10
description Client-In
vlan 10
no nameif
no security-level
!
interface Management0/0
nameif Manage
security-level 100
ip address dhcp
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list IN_access_in extended permit ip any any
access-list OUT_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu OUT 1500
mtu IN 1500
mtu Manage 1500
no ip address
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUT_access_in in interface OUT
access-group IN_access_in in interface IN
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 Manage
http 10.10.0.0 255.255.255.0 IN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:943a1e5eeb36eac10dec9622669e5cf7
: end

Hi

Francesco Molino — Wed, 06 Jul 2016 01:55:08 GMT

You set nameif on interface instead of subinterface.

Your missing the bridge group and bvi interface.

And what about other vlans.

The config I've provided for asa is good. You can take it. Just access-list and maybe bvi IP needs to be adapted.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Hello;

j_j624001 — Wed, 06 Jul 2016 02:18:51 GMT

Hello;

From the gui i enter vlan 10 for IN and Vlan110 for Out it automatically set it as a subinterface along with my vlan id. For the bridge group method i don't have that feature from cli nor gui using ASA Version (8.2)(3) not sure if that matters but i look everywhere for bridge group nor bvi interface. So that method couldn't work. Im just using one Vlan for test before i start adding more config for the other vlans; gotta get one vlan running first lol.... I still haven't done anything on the switch nor router side yet; just working on this firewall at first... Plus in transparent i can't add ip address unless its an network object.... see screen shots

I don't remember equivalent

Francesco Molino — Wed, 06 Jul 2016 02:26:31 GMT

I don't remember equivalent in old asa version. Let's continue in that way. I will try to downgrade a asa tomorrow evening if I have time and come back to you. Or if you want you can upgrade to newer version. Thanks PS: Please don't forget to rate and mark as correct answer if this solved your issue

Hello;

j_j624001 — Wed, 06 Jul 2016 02:36:21 GMT

Hello;

Ok; if you can downgrade a asa tom that would be awesome lol..... hopefully using my design lol.... seems like this is an ol asa firewall.. lol... But thanks again for the help; ill keep working on it