topic 5505 inter-VLAN routing in Network Security

topic 5505 inter-VLAN routing in Network Security https://community.cisco.com/t5/network-security/5505-inter-vlan-routing/m-p/2128280#M357209 <HTML><HEAD></HEAD><BODY><P>I ran a packet tracer awhile ago and it passed all stages.</P></BODY></HTML> Fri, 01 Feb 2013 18:45:25 GMT r.stalets 2013-02-01T18:45:25Z 5505 inter-VLAN routing https://community.cisco.com/t5/network-security/5505-inter-vlan-routing/m-p/2128278#M357207 <P>All,</P><P></P><P>I am having trouble getting inter-VLAN routing to work on an ASA 5505 with Security Plus. I have tried creating permit ACLs between the VLANs, doing NAT exemptions, etc but have not had any luck. Trunking seems to work fine because traffic goes from the switch all the way through the firewall fine it's just when I try to communicate across VLANs I have issues. The firewall log shows that it is creating and tearing down the connection but no traffic actually passes.</P><P></P><P>My sanitized config is below:</P><P></P><P>ASA Version 8.4(5) </P><P>!</P><P>hostname CLIENT-FW1</P><P>domain-name clientname.com</P><P>enable password {snip} encrypted</P><P>passwd {snip} encrypted</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 6</P><P>!</P><P>interface Ethernet0/1</P><P> switchport trunk allowed vlan 1-5</P><P> switchport trunk native vlan 4000</P><P> switchport mode trunk</P><P>!</P><P>interface Ethernet0/2</P><P>!</P><P>interface Ethernet0/3</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/4</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/5</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/6</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/7</P><P> switchport access vlan 2</P><P>!</P><P>interface Vlan1</P><P> nameif management</P><P> security-level 100</P><P> ip address 172.16.0.1 255.255.255.0 </P><P>!</P><P>interface Vlan2</P><P> nameif data</P><P> security-level 100</P><P> ip address 172.16.2.1 255.255.255.0 </P><P>!</P><P>interface Vlan3</P><P> nameif voice</P><P> security-level 100</P><P> ip address 172.16.3.2 255.255.255.0 </P><P>!</P><P>interface Vlan4</P><P> nameif wireless</P><P> security-level 100</P><P> ip address 172.16.4.1 255.255.255.0 </P><P>!</P><P>interface Vlan5</P><P> nameif guest</P><P> security-level 0</P><P> ip address 172.16.5.1 255.255.255.0 </P><P>!</P><P>interface Vlan6</P><P> nameif outside</P><P> security-level 0</P><P> ip address AA.AA.AA.AA 255.255.255.248 </P><P>!</P><P>boot system disk0:/asa845-k8.bin</P><P>ftp mode passive</P><P>clock timezone CT -6</P><P>dns domain-lookup management</P><P>dns server-group DefaultDNS</P><P> name-server 8.8.8.8</P><P> name-server 172.16.2.2</P><P> domain-name clientname.com</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>object network NETWORK_OBJ_172.16.1.0_26</P><P> subnet 172.16.1.0 255.255.255.192</P><P>object network management-network</P><P> subnet 172.16.0.0 255.255.255.0</P><P>object network voice-network</P><P> subnet 172.16.3.0 255.255.255.0</P><P>object network data-network</P><P> subnet 172.16.2.0 255.255.255.0</P><P>object network guest-network</P><P> subnet 172.16.5.0 255.255.255.0</P><P>object network wireless-network</P><P> subnet 172.16.4.0 255.255.255.0</P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging console critical</P><P>logging asdm informational</P><P>mtu management 1500</P><P>mtu data 1500</P><P>mtu voice 1500</P><P>mtu wireless 1500</P><P>mtu guest 1500</P><P>mtu outside 1500</P><P>ip local pool vpn-network 172.16.1.1-172.16.1.50 mask 255.255.255.0</P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-711.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>no arp permit-nonconnected</P><P>nat (data,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_26 NETWORK_OBJ_172.16.1.0_26 no-proxy-arp route-lookup</P><P>!</P><P>object network management-network</P><P> nat (any,outside) dynamic interface</P><P>object network voice-network</P><P> nat (any,outside) dynamic interface</P><P>object network data-network</P><P> nat (any,outside) dynamic interface</P><P>object network guest-network</P><P> nat (any,outside) dynamic interface</P><P>object network wireless-network</P><P> nat (any,outside) dynamic interface</P><P>route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1</P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>aaa-server LDAP_HRP protocol ldap</P><P>aaa-server LDAP_HRP (data) host 172.16.2.2</P><P> timeout 5</P><P> ldap-base-dn DC=clientname,DC=com</P><P> ldap-scope subtree</P><P> ldap-naming-attribute sAMAccountName</P><P> server-type microsoft</P><P>user-identity default-domain LOCAL</P><P>aaa authentication enable console LOCAL </P><P>aaa authentication serial console LOCAL </P><P>aaa authentication ssh console LOCAL </P><P>aaa authentication http console LOCAL </P><P>http server enable</P><P>http XX.XX.XX.XX 255.255.255.0 outside</P><P>http 172.16.0.0 255.255.255.0 management</P><P>http 172.16.2.0 255.255.255.0 data</P><P>http 172.16.3.0 255.255.255.0 voice</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>sysopt noproxyarp management</P><P>sysopt noproxyarp data</P><P>sysopt noproxyarp voice</P><P>sysopt noproxyarp wireless</P><P>sysopt noproxyarp guest</P><P>telnet timeout 5</P><P>ssh 172.16.0.0 255.255.255.0 management</P><P>ssh 172.16.2.0 255.255.255.0 data</P><P>ssh XX.XX.XX.XX 255.255.255.0 outside</P><P>ssh timeout 10</P><P>ssh key-exchange group dh-group1-sha1</P><P>console timeout 10</P><P></P><P>dhcpd address 172.16.2.100-172.16.2.250 data</P><P>dhcpd dns 8.8.8.8 interface data</P><P>dhcpd domain client.local interface data</P><P>dhcpd enable data</P><P>!</P><P>dhcpd address 172.16.3.11-172.16.3.250 voice</P><P>dhcpd dns 8.8.8.8 interface voice</P><P>dhcpd domain client.local interface voice</P><P>dhcpd enable voice</P><P>!</P><P>dhcprelay timeout 60</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>ntp server 149.20.68.17</P><P>webvpn</P><P> enable outside</P><P> anyconnect image disk0:/anyconnect-linux-3.1.02026-k9.pkg 1</P><P> anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 2</P><P> anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 3</P><P> anyconnect enable</P><P> tunnel-group-list enable</P><P>group-policy GroupPolicy_client internal</P><P>group-policy GroupPolicy_client attributes</P><P> wins-server none</P><P> dns-server value 172.16.2.2</P><P> vpn-tunnel-protocol ssl-client </P><P> default-domain value clientname.com</P><P>{account info redacted}</P><P>tunnel-group client type remote-access</P><P>tunnel-group client general-attributes</P><P> address-pool vpn-network</P><P> authentication-server-group LDAP_client</P><P> default-group-policy GroupPolicy_client</P><P>tunnel-group {snip} webvpn-attributes</P><P> group-alias {snip} enable</P><P>!</P><P>!</P><P>prompt hostname context </P><P>no call-home reporting anonymous</P><P>Cryptochecksum:0a653b3710e7f8815459e7b4f6d97082</P><P>: end</P> Tue, 12 Mar 2019 00:55:22 GMT https://community.cisco.com/t5/network-security/5505-inter-vlan-routing/m-p/2128278#M357207 r.stalets 2019-03-12T00:55:22Z 5505 inter-VLAN routing https://community.cisco.com/t5/network-security/5505-inter-vlan-routing/m-p/2128279#M357208 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>What are the source and destination IP addresses?</P><P></P><P>Have you tried a packet tracer?</P><P></P><P>example:</P><P></P><P>let's say traffic comes from data interface to voice:</P><P></P><P>packet in data tcp 172.16.2.5 1025 192.16.2.5 80</P><P></P><P>Regards,</P><P></P><P>Felipe. </P></BODY></HTML> Fri, 01 Feb 2013 18:07:33 GMT https://community.cisco.com/t5/network-security/5505-inter-vlan-routing/m-p/2128279#M357208 lcambron 2013-02-01T18:07:33Z 5505 inter-VLAN routing https://community.cisco.com/t5/network-security/5505-inter-vlan-routing/m-p/2128280#M357209 <HTML><HEAD></HEAD><BODY><P>I ran a packet tracer awhile ago and it passed all stages.</P></BODY></HTML> Fri, 01 Feb 2013 18:45:25 GMT https://community.cisco.com/t5/network-security/5505-inter-vlan-routing/m-p/2128280#M357209 r.stalets 2013-02-01T18:45:25Z 5505 inter-VLAN routing https://community.cisco.com/t5/network-security/5505-inter-vlan-routing/m-p/2128281#M357210 <HTML><HEAD></HEAD><BODY><P>We need more information so we can help,</P><P>Source and destination IPs</P><P>output from packet tracer.</P><P>Next step will be to take captures.</P><P></P><P>Regards,</P><P></P><P>Felipe. </P></BODY></HTML> Fri, 01 Feb 2013 18:47:31 GMT https://community.cisco.com/t5/network-security/5505-inter-vlan-routing/m-p/2128281#M357210 lcambron 2013-02-01T18:47:31Z 5505 inter-VLAN routing https://community.cisco.com/t5/network-security/5505-inter-vlan-routing/m-p/2128282#M357211 <HTML><HEAD></HEAD><BODY><P>Hi lcambron,</P><P></P><P>In this packet tracer, I went from 172.16.2.99 to 172.16.3.10 (data to voice):</P><P></P><P>packet-tracer input data tcp 172.16.2.99 80 172.16.3.10 80 detailed</P><P></P><P>Phase: 1</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in  id=0xca149f48, priority=1, domain=permit, deny=false</P><P>        hits=45279, user_data=0x0, cs_id=0x0, l3_type=0x8</P><P>        src mac=0000.0000.0000, mask=0000.0000.0000</P><P>        dst mac=0000.0000.0000, mask=0100.0000.0000</P><P>        input_ifc=data, output_ifc=any</P><P></P><P>Phase: 2</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in   172.16.3.0      255.255.255.0   voice</P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in  id=0xca14a9f0, priority=2, domain=permit, deny=false</P><P>        hits=149, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0</P><P>        src ip/id=0.0.0.0, mask=0.0.0.0, port=0</P><P>        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P>        input_ifc=data, output_ifc=any</P><P></P><P>Phase: 4</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in  id=0xca14de40, priority=0, domain=inspect-ip-options, deny=true</P><P>        hits=3414, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0</P><P>        src ip/id=0.0.0.0, mask=0.0.0.0, port=0</P><P>        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P>        input_ifc=data, output_ifc=any</P><P></P><P>Phase: 5</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Reverse Flow based lookup yields rule:</P><P> in  id=0xca17beb8, priority=0, domain=inspect-ip-options, deny=true</P><P>        hits=36355, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0</P><P>        src ip/id=0.0.0.0, mask=0.0.0.0, port=0</P><P>        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P>        input_ifc=voice, output_ifc=any</P><P></P><P>Phase: 6</P><P>Type: FLOW-CREATION</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>New flow created with id 41374, packet dispatched to next module</P><P>Module information for forward flow ...</P><P>snp_fp_tracer_drop</P><P>snp_fp_inspect_ip_options</P><P>snp_fp_tcp_normalizer</P><P>snp_fp_translate</P><P>snp_fp_adjacency</P><P>snp_fp_fragment</P><P>snp_ifc_stat</P><P></P><P>Module information for reverse flow ...</P><P>snp_fp_tracer_drop</P><P>snp_fp_inspect_ip_options</P><P>snp_fp_translate</P><P>snp_fp_tcp_normalizer</P><P>snp_fp_adjacency</P><P>snp_fp_fragment</P><P>snp_ifc_stat</P><P></P><P>Result:</P><P>input-interface: data</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: voice</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P><P></P><P>Thanks!</P><P></P><P>Ryan</P></BODY></HTML> Fri, 01 Feb 2013 18:51:29 GMT https://community.cisco.com/t5/network-security/5505-inter-vlan-routing/m-p/2128282#M357211 r.stalets 2013-02-01T18:51:29Z 5505 inter-VLAN routing https://community.cisco.com/t5/network-security/5505-inter-vlan-routing/m-p/2128283#M357212 <HTML><HEAD></HEAD><BODY><P>Hey Ryan,</P><P></P><P>a couple of things to check:</P><P></P><P>- Do your clients have the proper gateways assigned? If not, add option 3 to your dhcpd config to manually specify the gateway IP <SPAN style="font-size: 10pt;">(</SPAN><SPAN style="font-size: 10pt;"><A href="http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_dhcp.html#wp1226197">http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_dhcp.html#wp1226197</A></SPAN><SPAN style="font-size: 10pt;">)</SPAN></P><P></P><P>- Note that if you are by chance trying to ping the ASA interfaces themselves, you might run into problems: </P><P><A _jive_internal="true" href="https://community.cisco.com/thread/2150831">https://supportforums.cisco.com/thread/2150831</A></P><P></P><P>- If you are trying to ping Windows clients, check that the Windows Firewall is disabled.</P><P></P><P>Hope this helps...</P></BODY></HTML> Sat, 02 Feb 2013 08:40:32 GMT https://community.cisco.com/t5/network-security/5505-inter-vlan-routing/m-p/2128283#M357212 i.va 2013-02-02T08:40:32Z