topic Inter-VLAN routing on an ASA 5505 (9.1) in Network Security

Inter-VLAN routing on an ASA 5505 (9.1)

Austin Rivet — Tue, 12 Mar 2019 03:44:46 GMT

Hi,

I am trying to setup inter-VLAN routing on an ASA 5505 so that my Server VLAN can talk to my Data VLAN. Both VLANs/subnets will need to be able to reach the Internet (at least until I get VPNs working so that I can remote into my server VLAN, then I will close off Internet connectivity to the servers). Currently I have dynamic NAT setup from my data VLAN and Internet is coming through just fine.

Servers will be on VLAN 3 (subnet 10.0.1.0/24), and Data will be VLAN 11 (10.10.11.0/24). I would like the default gateway to be set as 10.0.1.2 for the Server VLAN since that is how it is statically configured on each of my servers.

What do I need to do to get my VLANs talking internally? Is it a matter of simply configuring SVI's for each VLAN, and then setting each SVI as the default gateway for that VLAN/subnet, or is it more involved than that?

I have experience configuring inter-VLAN routing on 3560 (switches), but am new to the ASA platform, so any help with this would be greatly appreciated.

Thanks!

Austin

Inter-VLAN routing on an ASA 5505 (9.1)

Jouni Forss — Thu, 13 Feb 2014 07:33:15 GMT

Hi,

I imagine there are some additional switches involved in the network in addition to the ASA or is the ASA the only device in your network (in addition to the hosts/servers)?

If your only have ASA5505 then it would naturally act as the gateway for the networks and the Vlan IDs would only have local significance.

If you have a switch network behind your ASA5505 and the ASA5505 is licensed with Security Plus license then you would be able to configure a Trunk between the ASA and the switches if needed and use the Vlan ID of the ASA interfaces in the rest of the networks. Naturally again the gateway of the subnets should be on the ASA.

If you have devices on your network already configured for specific default gateway then naturally you can configure that IP address on the ASA Vlan interface.

To be honest there is not many things to do with the ASA to get traffic going between 2 networks

Create interface Vlan
Configure "nameif" to name the interface, configure "ip address" of the interface
Attach the Vlan ID of the Vlan interface to the required physical ports as Access Mode ports or if your using Trunk then on the appropriate Trunk interfaces. The physical port commands pretty much follow the IOS format but configuration options are pretty limited
Configure interface ACLs to allow and/or block the required traffic. Its best to use interface ACLs from the get go as relying on "security-level" value doesnt give that many options. (By default interfaces with higher "security-level" value can connect towards network behind any lower "security-level" interface)
Configure DHCP Server on the ASA if required for the hosts. As with the switch port configurations the DHCP is somewhat limited (Max pool size 256, 1 pool per interface, etc)
You WONT have to configure any NAT between the local interfaces

I guess those would be the main points.

If you have a configuration on the ASA already but its not working you can share that here if you want us to have a look at it.

Hope this helps

- Jouni

Inter-VLAN routing on an ASA 5505 (9.1)

Austin Rivet — Thu, 13 Feb 2014 18:50:28 GMT

Jouni,

Thanks for the tips.

Unfortunately I do not have a switch to work with, just the ASA. I believe a real switch will be aquired in the future as the office grows, but right now it is an office of just a few users, and they use chintzy little netgear unmanaged 16-port switches to provide more ports to users.

The ASA has a Sec+ license, so there are no issues with the number of VLANs (we won't even come close to using all 20). The reason I want to implement VLANs is that I do not want all of the users on the Data VLAN to be able to access the servers, just the developers. I also don't want traffic from the regular users to be running in the same VLAN/subnet as the servers - there is no need for this, and to me it is a security hole to have uneccessary protocols running on the Server VLAN.

I also want to do VLANs because we will most likely be running VoIP in the near furute, and I am told that it is always best practice to run voice traffic separate from data traffic. Is this correct?

I will give your suggestions a try in several hours and let you know how it goes.

Thanks,

Austin

Inter-VLAN routing on an ASA 5505 (9.1)

Austin Rivet — Sat, 15 Feb 2014 15:12:28 GMT

Update:

So yesterday I got a chance to work on this device a little more. Here are the configurations I made:

1. Created VLAN interfaces: VLAN 1 (MGMT), VLAN 3 (SERVERS), VLAN 11 (DATA)

2. Named VLAN ints (MGMT, SERVERS, DATA)

3. Defined security levels (MGMT, SERVERS, DATA = 100)

4. Assigned IP address to ea. VLAN int

5. Configured ports as access ports

6. Permitted same security traffic (same-security-traffic permit inter-interface)

7. Configured ACL to ping from the SERVERS VLAN to the MGMT VLAN

After making these configurations, I setup a single host on Eth1 (MGMT VLAN), and another host on Eth2 (SERVERS VLAN) to do a quick test . Unfortunately I couldn't get a successful ping to go through.

I setup an ACL (SERVERS-in) that should allow ICMP traffic inbound from 10.0.1.0/24 (SERVERS VLAN/subnet) to the MGMT VLAN/subnet (10.0.2.0/24). I also setup an ACL (MGMT-in) that should allow ICMP echo replies to the SERVERS VLAN/subnet. I'm not sure if I entered something incorrectly, but I cannot get pings to go through when pinging from my host in the SERVERS VLAN to my host in the MGMT VLAN. I am wondering if I have a misconfigured ACL, or if there's something else that I missed.

I have pasted my configs below as well as a diagram of my network. Any help would be greatly appreciated.

Thanks,

Austin

hostname cs-lans-fw

domain-name default.domain.invalid

enable password eDNDD7lBLzSPpYwe encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

switchport access vlan 3

interface Ethernet0/3

switchport access vlan 11

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

description management interface

nameif MGMT

security-level 100

ip address 10.0.2.2 255.255.255.0

interface Vlan2

description Outside interface

nameif outside

security-level 0

# Real IP replaced with fake IP

ip address 123.123.123.28 255.255.255.240

interface Vlan3

nameif SERVERS

security-level 100

ip address 10.0.1.2 255.255.255.0

interface Vlan11

nameif DATA

security-level 100

ip address 10.10.11.2 255.255.255.0

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 208.67.222.222

name-server 75.75.75.75

domain-name default.domain.invalid

same-security-traffic permit inter-interface

object network VNC

host 10.0.2.1

object service TCP_5900

service tcp source eq 5900

object network MGMT-subnet

subnet 10.0.2.0 255.255.255.0

object network SERVERS-subnet

subnet 10.0.1.0 255.255.255.0

object network DATA-subnet

subnet 10.10.11.0 255.255.255.0

object-group service Internet-udp udp

description Standard UDP Internet services

port-object eq domain

port-object eq ntp

object-group service Internet-tcp tcp

description Standard TCP Internet services

port-object eq www

port-object eq https

port-object eq domain

access-list SERVERS-in remark -=[Access lists to allow Internet TCP/UDP outgoing packets from SERVERS interface, and permit ICMP echo requests to MGMT]=-

access-list SERVERS-in extended permit udp 10.0.1.0 255.255.255.0 any object-group Internet-udp

access-list SERVERS-in extended permit tcp 10.0.1.0 255.255.255.0 any object-group Internet-tcp

access-list SERVERS-in extended permit icmp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list outside-in extended permit tcp any host 10.0.2.1 eq 5900

access-list DATA-in remark -=[Access lists to allow Internet TCP/UDP outgoing packets from DATA interface]=-

access-list DATA-in extended permit udp 10.10.11.0 255.255.255.0 any object-group Internet-udp

access-list DATA-in extended permit tcp 10.10.11.0 255.255.255.0 any object-group Internet-tcp

access-list MGMT-in remark -=[Access lists to allow Internet TCP/UDP outgoing packets from MGMT interface, and permit ICMP echo replies to SERVERS]=-

access-list MGMT-in extended permit udp 10.0.2.0 255.255.255.0 any object-group Internet-udp

access-list MGMT-in extended permit tcp 10.0.2.0 255.255.255.0 any object-group Internet-tcp

access-list MGMT-in extended permit icmp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0 echo-reply

access-list MGMT-in extended permit icmp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu MGMT 1500

mtu outside 1500

mtu SERVERS 1500

mtu DATA 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (MGMT,outside) source static VNC interface service TCP_5900 TCP_5900

object network MGMT-subnet

nat (MGMT,outside) dynamic interface

object network SERVERS-subnet

nat (SERVERS,outside) dynamic interface

object network DATA-subnet

nat (DATA,outside) dynamic interface

access-group MGMT-in in interface MGMT

access-group outside-in in interface outside

access-group SERVERS-in in interface SERVERS

access-group DATA-in in interface DATA

route outside 0.0.0.0 0.0.0.0 173.167.15.30 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.0.2.0 255.255.255.0 MGMT

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 10.0.2.0 255.255.255.0 MGMT

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 10.10.11.10-10.10.11.25 DATA

dhcpd dns 8.8.8.8 interface DATA

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username user password wwmM/Ms2vq88kRD4 encrypted

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:6181739549f3cc2a9f58eafb69c03b30

: end

Inter-VLAN routing on an ASA 5505 (9.1)

Marius Gunnerud — Sat, 15 Feb 2014 15:37:58 GMT

What license do you have installed on the ASA? As Jouni has mentioned you need to have a security plus license to get multiple internal VLANs to work on the 5505.

Did you check the logs to see if there were any drop entries?

Another thing you can try is to use the packet tracer to simulate a packet passing through the ASA.

packet-tracer input MGMT tcp 10.0.2.10 12345 10.0.1.10 80 detail

packet-tracer input SERVERS tcp 10.0.1.10 12345 10.0.2.10 80 detail

This should give you a good idea where the packet is being dropped.

If the packet is allowed through the ASA, I suggest checking to make sure that the antivirus/firewall installed on the server or PC is turned off and then test again.

--
Please remember to rate and select a correct answer

Inter-VLAN routing on an ASA 5505 (9.1)

Austin Rivet — Sat, 15 Feb 2014 16:21:38 GMT

Marius,

This is a Sec+ (verified with the show version command).

Thanks for the PT suggestion. Was not aware of this tool. Will have to give it a try.

I know Jouni and the configuration guides say that there is no need to setup NAT, but should I give a static NAT a try to see if that does it? Do I need to setup additional routing rules? These are really the only two things I can think of that would cause this issue, unless my ACE's are incorrect, which I don't think they are.

Thanks,

Austin

Inter-VLAN routing on an ASA 5505 (9.1)

Jouni Forss — Sat, 15 Feb 2014 16:28:48 GMT

Hi,

I would suggest adding ICMP Inspection on the ASA always so you only have to permit the initial Echo message and the ASA will handle the Echo reply with the Inspection

Add

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

You wont need any NAT configurations between the local interfaces nor should you have them since it doesnt really add anything to setup.

The "packet-tracer" command would tell us if configurations have problems or if the problems are somewhere else perhaps.

- Jouni

Inter-VLAN routing on an ASA 5505 (9.1)

Marius Gunnerud — Sat, 15 Feb 2014 16:30:29 GMT

to get your internal subnets to talk to eachother you do not need NAT configured. The only time you NEED to configure NAT/PAT is when you are connecting to the internet (or some other situations where you have overlapping subnets).

As long as all your networks are directly connected to the ASA, that is to say that the ASA has an interface in each network, then you do not need to configure routing between these subnets as the ASA already knows about them.

Please run the packet tracer and post back the results, we will have a better understanding of what is going on then.

--
Please remember to rate and select a correct answer

Re: Inter-VLAN routing on an ASA 5505 (9.1)

Austin Rivet — Tue, 18 Feb 2014 05:27:32 GMT

Okay, I finally got some pings to go through from the MGMT VLAN to the SERVERS VLAN. Here is what I did:

1) Removed the ICMP ACL's

2) Re-added the ICMP ACL's and added "echo" at the end of each "permit icmp" ACE

3) Copied the running-config to the startup-config and did a reload

I have pasted the config below.

One thing that I was doing wrong during my testing was that I was trying to ping the address assigned to each VLAN interface instead of pinging the hosts on each VLAN. I discovered that the hosts were reachable, but the VLAN interfaces were not. Why would this be? I assume it's some security feature.

Also, I am puzzled by the fact that I am able to ping the public IP address of my firewall. This shouldn't be possible since there are no ACL's allowing ICMP on the outside interface. Any thoughts on this?

Since I am able to ping between VLANs, I think it's safe to say that I have inter-VLAN routing working. Now I think it's a matter of getting ACL's setup to allow users on the DATA VLAN access to hosts on the SERVERS VLAN via specific port numbers.

Thanks again for all the help.

Austin

cs-lans-fw# show run

: Saved

ASA Version 9.1(2)

hostname cs-lans-fw

domain-name default.domain.invalid

enable password eDNDD7lBLzSPpYwe encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

switchport access vlan 3

interface Ethernet0/3

switchport access vlan 11

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

description management interface

nameif MGMT

security-level 100

ip address 10.0.2.2 255.255.255.0

interface Vlan2

description Outside interface

nameif outside

security-level 0

ip address 123.123.123.28 255.255.255.240

interface Vlan3

nameif SERVERS

security-level 100

ip address 10.0.1.2 255.255.255.0

interface Vlan11

nameif DATA

security-level 100

ip address 10.10.11.2 255.255.255.0

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 208.67.222.222

name-server 75.75.75.75

domain-name default.domain.invalid

same-security-traffic permit inter-interface

object network VNC

host 10.0.2.1

object service TCP_5900

service tcp source eq 5900

object network MGMT-subnet

subnet 10.0.2.0 255.255.255.0

object network SERVERS-subnet

subnet 10.0.1.0 255.255.255.0

object network DATA-subnet

subnet 10.10.11.0 255.255.255.0

object-group service Internet-udp udp

description Standard UDP Internet services

port-object eq domain

port-object eq ntp

object-group service Internet-tcp tcp

description Standard TCP Internet services

port-object eq www

port-object eq https

port-object eq domain

access-list SERVERS-in remark -=[Access lists to allow Internet TCP/UDP outgoing packets from SERVERS interface]=-

access-list SERVERS-in extended permit udp 10.0.1.0 255.255.255.0 any object-group Internet-udp

access-list SERVERS-in extended permit tcp 10.0.1.0 255.255.255.0 any object-group Internet-tcp

access-list SERVERS-in extended permit icmp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 echo-reply

access-list SERVERS-in extended permit icmp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 echo

access-list outside-in extended permit tcp any host 10.0.2.1 eq 5900

access-list DATA-in remark -=[Access lists to allow Internet TCP/UDP outgoing packets from DATA interface]=-

access-list DATA-in extended permit udp 10.10.11.0 255.255.255.0 any object-group Internet-udp

access-list DATA-in extended permit tcp 10.10.11.0 255.255.255.0 any object-group Internet-tcp

access-list MGMT-in remark -=[Access lists to allow Internet TCP/UDP outgoing packets from MGMT interface]=-

access-list MGMT-in extended permit udp 10.0.2.0 255.255.255.0 any object-group Internet-udp

access-list MGMT-in extended permit tcp 10.0.2.0 255.255.255.0 any object-group Internet-tcp

access-list MGMT-in extended permit icmp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0 echo-reply

access-list MGMT-in extended permit icmp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0 echo

pager lines 24

logging asdm informational

mtu MGMT 1500

mtu outside 1500

mtu SERVERS 1500

mtu DATA 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (MGMT,outside) source static VNC interface service TCP_5900 TCP_5900

object network MGMT-subnet

nat (MGMT,outside) dynamic interface

object network SERVERS-subnet

nat (SERVERS,outside) dynamic interface

object network DATA-subnet

nat (DATA,outside) dynamic interface

access-group MGMT-in in interface MGMT

access-group outside-in in interface outside

access-group SERVERS-in in interface SERVERS

access-group DATA-in in interface DATA

route outside 0.0.0.0 0.0.0.0 173.167.15.30 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.0.2.0 255.255.255.0 MGMT

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 10.0.2.0 255.255.255.0 MGMT

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 10.10.11.10-10.10.11.25 DATA

dhcpd dns 8.8.8.8 interface DATA

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username user password wwmM/Ms2vq88kRD4 encrypted

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:8c170cbd3656a7d9cf0b104332cf162b

: end

Re: Inter-VLAN routing on an ASA 5505 (9.1)

Marius Gunnerud — Tue, 18 Feb 2014 08:48:26 GMT

I discovered that the hosts were  reachable, but the VLAN interfaces were not. Why would this be? I assume  it's some security feature.

By default the ASA permits ping to the interface that traffic ingresses on. So if you are pinging from a host on the inside interface you will be able to ping the inside interface IP but will not be able to ping the DMZ interface. This is unless you have configured icmp permit DMZ where DMZ is the interface name, and IP address is the IP you are pinging from.

Also, I am puzzled by the fact that I am  able to ping the public IP address of my firewall. This shouldn't be  possible since there are no ACL's allowing ICMP on the outside  interface. Any thoughts on this?

Are you pinging the public IP from a host on the inside network or are you pinging from a host on the internet?

--
Please remember to rate and select a correct answer

Re: Inter-VLAN routing on an ASA 5505 (9.1)

Austin Rivet — Tue, 18 Feb 2014 14:07:33 GMT

Marius Gunnerud wrote:

...you will be able to ping the inside interface IP but will not be able to ping the DMZ interface. This is unless you have configured icmp permit DMZ where DMZ is the interface name, and IP address is the IP you are pinging from.

Marius, this makes sense. Thanks.


Are you pinging the public IP from a host on the inside network or are you pinging from a host on the internet?

I am pinging from a host on a completely remote network ("the internet").

This morning I discovered that I can ping from my host in the SERVERS VLAN to my host in the MGMT VLAN, but I cannot ping from my host in the MGMT VLAN to my host in the SERVERS VLAN. I checked my ACL's and they appear to be correct. I also disabled anti-virus/firewall on the hosts to make sure that wasn't blocking the pings, but I'm still having the issue. What would cause this?

As requested previously, here is the output of the packet tracer commands. I'm no expert in interpretting these things, but as far as I can tell there are no red flags in the output.

cs-lans-fw# packet-tracer input SERVERS tcp 10.0.1.10 12345 10.0.2.10 80 detail

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.2.0 255.255.255.0 MGMT

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group SERVERS-in in interface SERVERS

access-list SERVERS-in extended permit tcp 10.0.1.0 255.255.255.0 any object-group Internet-tcp

object-group service Internet-tcp tcp

description: Standard TCP Internet services

port-object eq www

port-object eq https

port-object eq domain

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcb1f4ae8, priority=13, domain=permit, deny=false

hits=11, user_data=0xc9179e20, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=10.0.1.0, mask=255.255.255.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0

input_ifc=SERVERS, output_ifc=any

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcaa8c3d0, priority=0, domain=nat-per-session, deny=false

hits=52, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcb199c68, priority=0, domain=inspect-ip-options, deny=true

hits=75, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=SERVERS, output_ifc=any

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xcaa8c3d0, priority=0, domain=nat-per-session, deny=false

hits=54, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xcb144fc0, priority=0, domain=inspect-ip-options, deny=true

hits=12, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=MGMT, output_ifc=any

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 84, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: SERVERS

input-status: up

input-line-status: up

output-interface: MGMT

output-status: up

output-line-status: up

Action: allow

cs-lans-fw# packet-tracer input MGMT tcp 10.0.2.10 12345 10.0.1.10 80 detail

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.1.0 255.255.255.0 SERVERS

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group MGMT-in in interface MGMT

access-list MGMT-in extended permit tcp 10.0.2.0 255.255.255.0 any object-group Internet-tcp

object-group service Internet-tcp tcp

description: Standard TCP Internet services

port-object eq www

port-object eq https

port-object eq domain

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcb1d43a0, priority=13, domain=permit, deny=false

hits=3, user_data=0xc917a280, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=10.0.2.0, mask=255.255.255.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0

input_ifc=MGMT, output_ifc=any

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcaa8c3d0, priority=0, domain=nat-per-session, deny=false

hits=48, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcb144fc0, priority=0, domain=inspect-ip-options, deny=true

hits=8, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=MGMT, output_ifc=any

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xcaa8c3d0, priority=0, domain=nat-per-session, deny=false

hits=50, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xcb199c68, priority=0, domain=inspect-ip-options, deny=true

hits=75, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=SERVERS, output_ifc=any

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 81, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: MGMT

input-status: up

input-line-status: up

output-interface: SERVERS

output-status: up

output-line-status: up

Action: allow

Re: Inter-VLAN routing on an ASA 5505 (9.1)

Marius Gunnerud — Tue, 18 Feb 2014 19:05:12 GMT

As the packet tracer shows the packet is permitted through the ASA in both direction. So regardless of which side initiates traffic, the packet should pass through. It is quite strange that you can ping from SERVER to MGMT but not the other way around. Have you made any more changes recently? If so could you post an updated runing config output please?

--
Please remember to rate and select a correct answer

Re: Inter-VLAN routing on an ASA 5505 (9.1)

Austin Rivet — Wed, 19 Feb 2014 05:16:32 GMT

Marius,

No I have not made any changes to the config. I'm at a loss here. The only thing I can think of that is wrong at this point is that there is something wrong with the host on the MGMT VLAN.

I am also still wondering why the firewall is responding to external ("from the Internet") pings. This shouldn't be the case since the only traffic permitted on the outside interface is a specific port to a specific host.

Seems like there are some strange things happening here.

I'm having another sysadmin take a look at this thing to see if he can get things sorted out.

Thanks for all of the help. I will post back once we figure out what's happening.

Austin

Re: Inter-VLAN routing on an ASA 5505 (9.1)

Marius Gunnerud — Wed, 19 Feb 2014 09:11:22 GMT

I suggest rebooting the ASA. and then test again. There seems to be reminents of past config present even though they do not show up in the configuration. You should not be able to ping the outside interface. And as per packet tracer traffic should be allowed across the ASA. Perhaps there is an issue with the MGMT host in this case but as for pinging the outside interface, that is just outright strange.

Schedule a maintenance window, save your configuration and then reboot the ASA.

--
Please remember to rate and select a correct answer

Re: Inter-VLAN routing on an ASA 5505 (9.1)

Austin Rivet — Sun, 23 Feb 2014 22:16:40 GMT

Marius,

I did a reboot, but that didn't solve the issue. I enabled logging later on and noticed that I was getting a "failed to locate egress interface" message when pinging from the DATA VLAN to the SERVERS VLAN. What does that even mean?

I didn't have anymore time to mess with this configuration, so I went ahead and restored the device to factory defaults, and I just kept one VLAN for the inside and one VLAN for the outside. Now I'm trying to setup a remote access IPSEC VPN, and I'm having issues pinging hosts on the inside of the firewall... I'm starting to wonder if I have a bad piece of equipment.

Thanks for your efforts!

Austin

Re: Inter-VLAN routing on an ASA 5505 (9.1)

Marius Gunnerud — Mon, 24 Feb 2014 08:03:30 GMT

Could you post the new config? It is very possible that there is an issue with the hardware.

--
Please remember to rate and select a correct answer

Re: Inter-VLAN routing on an ASA 5505 (9.1)

Austin Rivet — Tue, 25 Feb 2014 01:10:53 GMT

Hi Marius,

Below is the new config. Note that I have changed NAT to use the default obj_any object to NAT the inside subnet. Also note that I haven't modified the ACL's in any way. I simply used the IPSEC Remote Access VPN Wizard to setup the VPN.

Later on I discovered that I was able to connect to my management host (10.0.1.1) over the VPN via VNC, but I could not ping to my mangement host. I could also see logs coming in saying that ICMP was being built and torn down from my VPN client to my management host. This led me to believe that packets were getting to the host, but not coming back from the host. After disabling the Windows 7 firewall and adding ICMP to the global policy I was able to get pings to my management host. I cannot believe I overlooked such a simple detail.

For anyone readin this that is experiencing issues pinging between VLANs or over a VPN, start simple; turn Windows firewall off and issue;

policy-map global_policy

class inspection_default

inspect icmp

I am fairly certain that this was the problem all along when I was having touble pinging between VLANs.

Thanks so much for your help Marius!

ASA Version 9.1(2)

hostname cs-lan-fw

domain-name default.domain.invalid

enable password eDNDD7lBLzSPpYwe encrypted

passwd eDNDD7lBLzSPpYwe encrypted

names

ip local pool CS-Lans-RA 192.168.255.1-192.168.255.30 mask 255.255.255.224

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 10.0.1.2 255.255.255.0

interface Vlan2

description WAN (outside) interface

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 208.67.222.222

name-server 75.75.75.75

domain-name default.domain.invalid

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network VNC

host 10.0.1.1

description VNC Host (FW Monitor)

object service TCP_5900

service tcp source eq 5900

description Port for VNC

object network NETWORK_OBJ_10.0.1.0_24

subnet 10.0.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.255.0_27

subnet 192.168.255.0 255.255.255.224

object-group service Internet-udp udp

port-object eq domain

port-object eq ntp

object-group service Internet-tcp tcp

port-object eq www

port-object eq https

port-object eq domain

access-list INSIDE_INT remark -=[Allow outgoing TCP/UDP services from the Inside]=-

access-list INSIDE_INT extended permit udp 10.0.1.0 255.255.255.0 any object-group Internet-udp

access-list INSIDE_INT extended permit tcp 10.0.1.0 255.255.255.0 any object-group Internet-tcp

access-list OUTSIDE_INT extended permit tcp any host 10.0.1.1 eq 5900

access-list CS-Lans-RA_splitTunnelAcl standard permit 10.0.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static VNC interface service TCP_5900 TCP_5900

nat (inside,outside) source static NETWORK_OBJ_10.0.1.0_24 NETWORK_OBJ_10.0.1.0_24 destination static NETWORK_OBJ_192.168.255.0_27 NETWORK_OBJ_192.168.255.0_27 no-proxy-arp route-lookup

object network obj_any

nat (inside,outside) dynamic interface

access-group INSIDE_INT in interface inside

access-group OUTSIDE_INT in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.0.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 10.0.1.0 255.255.255.0 inside

telnet timeout 60

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 10.0.1.50-10.0.1.100 inside

dhcpd dns 8.8.8.8 208.67.222.222 interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy CS-Lans-RA internal

group-policy CS-Lans-RA attributes

dns-server value 8.8.8.8 208.67.222.222

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value CS-Lans-RA_splitTunnelAcl

default-domain value default.domain.invalid

username user password wwmM/Ms2vq88kRD4 encrypted privilege 15

tunnel-group CS-Lans-RA type remote-access

tunnel-group CS-Lans-RA general-attributes

address-pool CS-Lans-RA

default-group-policy CS-Lans-RA

tunnel-group CS-Lans-RA ipsec-attributes

ikev1 pre-shared-key *****

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:85d0344b0f8d82b5eaa1a2f2d9cc1a57

: end

Re: Inter-VLAN routing on an ASA 5505 (9.1)

Marius Gunnerud — Tue, 25 Feb 2014 09:05:19 GMT

Yes, windows firewall can make it seem that things aren't working if you test using ping.

So, do you need still assistance with anything else?

--
Please remember to rate and select a correct answer

Hi All, I have the same

Christian Quiroga — Thu, 15 May 2014 16:51:07 GMT

Hi All,

I have the same problem with ASA 5512x Version 9.1(2)

I can´t ping between vlans.

I have a switch connected to ASA (trunk link) and a PC connected to Switch in fa0/3 (vla 10), i need to ping to vlan 20 in ASA, but not works.

See the attach configuration.

Thanks.