Getting vlans to communicate.

rpulido71 — Tue, 12 Mar 2019 05:40:22 GMT

First i would like to state that I have zero experience with the asa 5505 but I am a fast learner. We recently experienced a power surge that wiped our asa 5505 completely. We have since reloaded the software and created a fresh configuration file using a putty output file we had. the network consists of four vlans (vlan1 inside, vlan 2 outside, vlan 4 ATT, vlan 201 PLC). My issue is that vlan 4 and vlan 201 will not communicate with each other. I have used the packet-tracer command and it doesn't show a drop. I have also tried pinging from vlan 201 to vlan 4 and vice a versa. Any guidance would be much appreciated.

My running configuration is as follows:

sho run
: Saved
:
ASA Version 8.2(1)
!
hostname SCADAFirewall
domain-name scadanet.local
enable password 0s8uhgiYA16dXSsN encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 198.100.147.0 inside-network147
!
interface Vlan1
nameif inside
security-level 100
ip address 198.100.146.199 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 12.48.31.26 255.255.255.248
!
interface Vlan4
nameif ATT
security-level 10
ip address 192.168.199.1 255.255.255.0
!
interface Vlan201
nameif PLC
security-level 50
ip address 10.11.12.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
no shutdown
!
interface Ethernet0/1
no shutdown
!
interface Ethernet0/2
switchport access vlan 4
no shutdown
!
interface Ethernet0/3
switchport access vlan 201
no shutdown
!
interface Ethernet0/4
no shutdown
!
interface Ethernet0/5
no shutdown
!
interface Ethernet0/6
no shutdown
!
interface Ethernet0/7
switchport access vlan 3
no shutdown
!
boot system disk0:/asa821-k8.bin
no ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 12.127.16.67
domain-name scadanet.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip host 198.100.146.154 any
access-list inside_access_in extended permit ip host 198.100.146.177 any
access-list inside_access_in extended permit ip host 198.100.146.153 any
access-list inside_access_in remark Temp access list to allow for windows updates
access-list inside_access_in extended permit ip any any inactive
access-list ATT_access_out extended permit ip 10.11.12.0 255.255.255.0 any
access-list ATT_access_out extended permit icmp 10.11.12.0 255.255.255.0 any
access-list PLC_in extended permit ip any any
access-list PLC_in extended permit icmp any any
access-list att extended permit icmp any any
access-list plc extended permit icmp any any
access-list PLC_access_out extended permit icmp any any
access-list PLC_access_out extended permit ip any any
access-list ATT_access_in extended permit ip 192.168.201.0 255.255.255.0 any

access-list ATT_access_in extended permit icmp 192.168.201.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu ATT 1500
mtu PLC 1500
ip local pool WEBVPN 172.16.20.2-172.16.20.20 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 198.100.146.0 255.255.255.0
nat (inside) 1 inside-network147 255.255.255.0
access-group inside_access_in in interface inside
access-group ATT_access_in in interface ATT
access-group ATT_access_out out interface ATT
access-group PLC_in in interface PLC
access-group PLC_access_out out interface PLC
route outside 0.0.0.0 0.0.0.0 12.48.31.25 1
route ATT 192.168.0.0 255.255.255.0 192.168.199.2 1
route ATT 192.168.1.0 255.255.255.0 192.168.199.2 1
route ATT 192.168.201.0 255.255.255.0 192.168.199.2 1
route inside inside-network147 255.255.255.0 198.100.146.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list value RemoteDesktop
file-browsing disable
file-entry disable
http-proxy disable
url-entry enable
svc ask none default webvpn
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 198.100.146.154
key RADIUSCLWA1
radius-common-pw RADIUSCOMMON1
aaa-server RSA protocol sdi
max-failed-attempts 5
aaa-server RSA (inside) host 198.100.146.154

http server enable
http 198.100.146.0 255.255.255.0 inside
http 192.100.146.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
no snmp-server enable
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 198.100.146.0 255.255.255.0 inside
telnet timeout 5
ssh 198.100.146.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy DfltGrpPolicy attributes
webvpn
url-list value RemoteDesktop
file-entry disable
file-browsing disable
url-entry disable
group-policy WEBVPN internal
group-policy WEBVPN attributes
vpn-tunnel-protocol webvpn
webvpn
url-list value RemoteDesktop
hidden-shares none
file-entry disable
file-browsing disable
url-entry disable
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool WEBVPN
authentication-server-group RSA
accounting-server-group RADIUS
default-group-policy WEBVPN
!
!

What is your Source and

Andre Neethling — Mon, 23 Mar 2015 10:23:48 GMT

What is your Source and destination ip you are using for your ping tests?

Which license do you have for

Marius Gunnerud — Mon, 23 Mar 2015 21:45:14 GMT

Which license do you have for the ASA5505? Issue the show version command and you should see it towards the bottom of the output. If the outage wiped your ASA completely then it might have also cleared the installed license. You need a security plus license to be able to have more than 2 VLANs communicating with eachother.

Please remembner to select a correct answer and rate helpful posts

topic Which license do you have for in Network Security

Getting vlans to communicate.

What is your Source and

Which license do you have for