topic Inter-VLAN firewall or routing issues... ping only. in Network Security

topic Inter-VLAN firewall or routing issues... ping only. in Network Security https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196502#M358917 <HTML><HEAD></HEAD><BODY><P>We are seeing the same issue, same scenario, will answer if we resolve.</P></BODY></HTML> Mon, 30 Sep 2013 15:02:53 GMT gfield 2013-09-30T15:02:53Z Inter-VLAN firewall or routing issues... ping only. https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196493#M358908 <P>Hey folks,</P><P></P><P>I ran into an issue that I just can't figure out, and need some help. I was brought in to create a new VLAN and install some WiFi APs for guest access. Nothing new. ASA 5510. So I created the new "VLAN 60" as a sub-int on eth0/1, where they already had VLAN 5. Created a dynamic NAT rule to use the outside int. Created a DHCP scope for the new VLAN 60. Made sure all the associated switch ports were trunked with dot1q encap, and allowed VLANs 5,60, etc. Everything on that end works fine. WiFi users get DHCP, get out to the net, etc. But they need to be able to hit their exchange server on VLAN 5. I can ping the server from VLAN 60, but that's it. When I do a port scan, all the major ports (80, 8080,443, 110, etc) get a no reply. Can't RDP or connect with an Outlook client. My immediate thought was inter-vlan routing. But they're on the same security level and I have the same-security-traffic permit inter and intra commands there. So I went to the firewall and put permit ip any any commands in there and disabled all other firewall commands on both of those VLANs... STILL NO GO. Any ideas? Essentially, I just need VLAN 60 to be able to talk to the server on VLAN 5 (10.10.5.19). It's killing me. The config is below. Please browse and see if there is anything that sticks out. I fear it is something so easy that I'm looking right over it. Thank you!</P><P></P><P></P><P>hostname xxxxxxxxxxxxxxxxxxxxxx</P><P>domain-name xxxxxxxxxxxxxxxxxxx</P><P>enable password xxxxxxxxxxxxxxxxxxxxx encrypted</P><P>passwd xxxxxxxxxxxxxxxxxxxxxx encrypted</P><P>names</P><P>dns-guard</P><P>!</P><P>interface Ethernet0/0</P><P> speed 100</P><P> duplex full</P><P> nameif outside</P><P> security-level 0</P><P> ip address 64.199.xxx.xxx 255.255.255.240 </P><P>!</P><P>interface Ethernet0/1</P><P> speed 100</P><P> duplex full</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Ethernet0/1.5</P><P> vlan 5</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.10.5.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/1.60</P><P> vlan 60</P><P> nameif Room206</P><P> security-level 100</P><P> ip address 10.10.60.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/2</P><P> nameif dmz</P><P> security-level 50</P><P> ip address 10.10.51.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/3</P><P> speed 100</P><P> duplex full</P><P> nameif mts</P><P> security-level 100</P><P> ip address 10.10.50.1 255.255.255.0 </P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0 </P><P> management-only</P><P>!</P><P>boot system disk0:/asa804-k8.bin</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P> domain-name xxxxxxxxxx</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>object-group network DM_INLINE_NETWORK_1</P><P> network-object 10.10.20.0 255.255.255.0</P><P> network-object 10.10.5.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_2</P><P> network-object 10.10.201.0 255.255.255.0</P><P> network-object 10.10.202.0 255.255.255.0</P><P> network-object 10.10.203.0 255.255.255.0</P><P> network-object 10.10.204.0 255.255.255.0</P><P> network-object 10.10.205.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_3</P><P> network-object 10.10.201.0 255.255.255.0</P><P> network-object 10.10.202.0 255.255.255.0</P><P> network-object 10.10.203.0 255.255.255.0</P><P> network-object 10.10.204.0 255.255.255.0</P><P> network-object 10.10.205.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_4</P><P> network-object 10.10.201.0 255.255.255.0</P><P> network-object 10.10.202.0 255.255.255.0</P><P> network-object 10.10.203.0 255.255.255.0</P><P> network-object 10.10.204.0 255.255.255.0</P><P> network-object 10.10.205.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_5</P><P> network-object 10.10.201.0 255.255.255.0</P><P> network-object 10.10.202.0 255.255.255.0</P><P> network-object 10.10.203.0 255.255.255.0</P><P> network-object 10.10.204.0 255.255.255.0</P><P> network-object 10.10.205.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_12</P><P> network-object 10.10.201.0 255.255.255.0</P><P> network-object 10.10.202.0 255.255.255.0</P><P> network-object 10.10.203.0 255.255.255.0</P><P> network-object 10.10.204.0 255.255.255.0</P><P> network-object 10.10.205.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_11</P><P> network-object 10.10.201.0 255.255.255.0</P><P> network-object 10.10.202.0 255.255.255.0</P><P> network-object 10.10.203.0 255.255.255.0</P><P> network-object 10.10.204.0 255.255.255.0</P><P> network-object 10.10.205.0 255.255.255.0</P><P>object-group service DM_INLINE_TCP_1 tcp</P><P> port-object eq ssh</P><P> port-object eq telnet</P><P>object-group network DM_INLINE_NETWORK_6</P><P> network-object host 10.10.5.32</P><P> network-object host 64.199.xxx.xxx</P><P>object-group network DM_INLINE_NETWORK_7</P><P> network-object 199.249.xxx.xxx 255.255.255.0</P><P> network-object host 208.93.xxx.xxx</P><P>access-list acl_inside extended permit ip any any </P><P>access-list acl_inside extended deny tcp any any eq 135 </P><P>access-list acl_inside extended deny udp any any eq 135 </P><P>access-list acl_inside extended deny udp any any eq tftp </P><P>access-list acl_inside extended deny tcp any any eq 137 </P><P>access-list acl_inside extended deny udp any any eq netbios-ns </P><P>access-list acl_inside extended deny tcp any any eq 138 </P><P>access-list acl_inside extended deny udp any any eq netbios-dgm </P><P>access-list acl_inside extended deny tcp any any eq netbios-ssn </P><P>access-list acl_inside extended deny udp any any eq 139 </P><P>access-list acl_inside extended deny tcp any any eq 445 </P><P>access-list acl_inside extended deny tcp any any eq 593 </P><P>access-list acl_inside extended permit icmp any any </P><P>access-list inbound extended permit tcp any host 10.10.51.29 eq telnet </P><P>access-list inbound extended permit tcp any host 206.69.xxx.xxx eq www </P><P>access-list inbound extended permit icmp any any </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq ftp </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq ftp-data </P><P>access-list inbound extended permit tcp host 12.47.xxx.xxx host 64.199.xxx.xxx eq ssh </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq telnet </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq www </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq https </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq telnet </P><P>access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq ssh </P><P>access-list inbound extended permit gre any host 64.199.xxx.xxx</P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq pptp </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq 9090 </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq 9040 </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq www </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq www </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq smtp </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq www </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq https </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq pop3 </P><P>access-list inbound extended permit tcp any host 64.199.xxx.xxx eq imap4 </P><P>access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq 3389 </P><P>access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq 3389 </P><P>access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq 3389 </P><P>access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq 3389 </P><P>access-list inbound extended permit ip 10.10.5.0 255.255.255.0 10.10.202.0 255.255.255.0 </P><P>access-list inbound extended permit ip 10.10.5.0 255.255.255.0 10.10.203.0 255.255.255.0 </P><P>access-list inbound extended permit ip 10.10.5.0 255.255.255.0 10.10.204.0 255.255.255.0 </P><P>access-list inbound extended permit ip 10.10.5.0 255.255.255.0 10.10.205.0 255.255.255.0 </P><P>access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.201.0 255.255.255.0 </P><P>access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.202.0 255.255.255.0 </P><P>access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.203.0 255.255.255.0 </P><P>access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.204.0 255.255.255.0 </P><P>access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.205.0 255.255.255.0 </P><P>access-list inbound extended permit ip 10.10.201.0 255.255.255.0 10.10.20.0 255.255.255.0 </P><P>access-list inbound extended permit ip 192.168.68.0 255.255.255.0 any </P><P>access-list inbound extended permit ip 10.10.5.0 255.255.255.0 192.168.68.0 255.255.255.0 </P><P>access-list inbound extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_1 </P><P>access-list inbound extended permit tcp any host 10.10.5.19 eq https </P><P>access-list inbound extended permit ip 10.10.60.0 255.255.255.0 any </P><P>access-list mts_in extended permit tcp any host 10.10.5.32 eq ssh </P><P>access-list mts_in extended permit tcp any host 10.10.5.32 eq telnet </P><P>access-list mts_in extended permit icmp any any </P><P>access-list mts_in extended permit tcp any host 10.10.5.32 eq ftp </P><P>access-list mts_in extended permit tcp any host 10.10.5.32 eq ftp-data </P><P>access-list mts_in extended permit tcp any host 10.10.5.32 eq 1001 </P><P>access-list mts_in extended permit ip any 10.10.20.0 255.255.255.0 </P><P>access-list mts_in extended permit ip any host 10.10.5.36 </P><P>access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_12 </P><P>access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_11 10.10.5.0 255.255.255.0 </P><P>access-list outside_cryptomap_1 extended permit ip 10.10.5.0 255.255.255.0 192.168.68.0 255.255.255.0 </P><P>access-list outside_cryptomap_1 extended permit ip 192.168.68.0 255.255.255.0 10.10.5.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 10.10.5.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 </P><P>access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 10.10.5.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 10.10.20.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 10.10.20.0 255.255.255.0 object-group DM_INLINE_NETWORK_5 </P><P>access-list inside_nat0_outbound extended permit ip 10.10.20.0 255.255.255.0 10.10.51.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 10.10.51.0 255.255.255.0 10.10.20.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 10.10.5.0 255.255.255.0 192.168.68.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 192.168.68.0 255.255.255.0 10.10.5.0 255.255.255.0 </P><P>access-list wireless extended permit ip any any </P><P>access-list wireless extended permit ip any 10.10.5.0 255.255.255.0 </P><P>pager lines 24</P><P>logging enable</P><P>logging buffered debugging</P><P>logging asdm debugging</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu dmz 1500</P><P>mtu mts 1500</P><P>mtu management 1500</P><P>mtu Room206 1500</P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-613.bin</P><P>asdm history enable</P><P>arp timeout 14400</P><P>nat-control</P><P>global (outside) 101 64.199.xxx.xxx</P><P>global (outside) 102 64.199.xxx.xxx</P><P>global (outside) 103 64.199.xxx.xxx</P><P>global (outside) 104 64.199.xxx.xxx</P><P>global (outside) 1 interface</P><P>global (outside) 105 64.199.xxx.xxx</P><P>global (dmz) 1 interface</P><P>global (dmz) 105 10.10.51.105</P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P>nat (inside) 1 10.255.250.30 255.255.255.255</P><P>nat (inside) 1 10.255.250.100 255.255.255.255</P><P>nat (inside) 1 10.255.250.144 255.255.255.255</P><P>nat (inside) 1 10.255.250.150 255.255.255.255</P><P>nat (inside) 1 10.255.250.186 255.255.255.255</P><P>nat (inside) 1 10.10.5.0 255.255.255.0</P><P>nat (dmz) 1 10.10.51.0 255.255.255.0</P><P>nat (Room206) 1 10.10.60.0 255.255.255.0</P><P>static (dmz,outside) 206.69.xxx.xxx 10.10.51.31 netmask 255.255.255.255 </P><P>static (dmz,outside) 64.199.xxx.xxx 10.10.51.12 netmask 255.255.255.255 </P><P>static (dmz,outside) 64.199.xxx.xxx 10.10.51.40 netmask 255.255.255.255 </P><P>static (inside,mts) 10.10.5.32 10.10.5.32 netmask 255.255.255.255 </P><P>static (inside,mts) 10.10.20.0 10.10.20.0 netmask 255.255.255.0 </P><P>static (inside,mts) 10.10.5.36 10.10.5.36 netmask 255.255.255.255 </P><P>static (inside,outside) 64.199.xxx.xxx 10.10.5.21 netmask 255.255.255.255 </P><P>static (inside,outside) 64.199.xxx.xxx 10.10.5.32 netmask 255.255.255.255 </P><P>static (inside,outside) 64.199.xxx.xxx 10.10.5.20 netmask 255.255.255.255 </P><P>static (inside,outside) 64.199.xxx.xxx 10.10.5.14 netmask 255.255.255.255 </P><P>static (inside,outside) 64.199.xxx.xxx 10.10.5.17 netmask 255.255.255.255 </P><P>static (inside,Room206) 10.10.5.0 10.10.5.0 netmask 255.255.255.0 </P><P>static (Room206,inside) 10.10.60.0 10.10.60.0 netmask 255.255.255.0 </P><P>access-group inbound in interface outside</P><P>access-group acl_inside in interface inside</P><P>access-group mts_in in interface mts</P><P>access-group wireless in interface Room206</P><P>route outside 0.0.0.0 0.0.0.0 64.199.xxx.xxx 1</P><P>route mts 10.10.1.0 255.255.255.0 10.10.50.2 1</P><P>route mts 10.10.2.0 255.255.255.0 10.10.50.2 1</P><P>route inside 10.10.20.0 255.255.255.0 10.10.5.11 1</P><P>route mts 10.10.100.0 255.255.255.0 10.10.50.2 1</P><P>route mts 10.10.101.0 255.255.255.0 10.10.50.2 1</P><P>route mts 10.10.199.0 255.255.255.0 10.10.50.2 1</P><P>route inside 10.255.250.0 255.255.255.0 10.10.5.11 1</P><P>route inside 192.168.222.0 255.255.255.0 10.10.5.11 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>http server enable</P><P>http 10.10.0.0 255.255.0.0 inside</P><P>http 192.168.1.0 255.255.255.0 management</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>sysopt noproxyarp inside</P><P>crypto ipsec transform-set myset esp-des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac </P><P>crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac </P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac </P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map cisco 1 set transform-set myset</P><P>crypto dynamic-map cisco 1 set security-association lifetime seconds 28800</P><P>crypto dynamic-map cisco 1 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map RemotSiteVPN1 1 match address outside_cryptomap</P><P>crypto dynamic-map RemotSiteVPN1 1 set pfs </P><P>crypto dynamic-map RemotSiteVPN1 1 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map RemotSiteVPN1 1 set security-association lifetime seconds 28800</P><P>crypto dynamic-map RemotSiteVPN1 1 set security-association lifetime kilobytes 4608000</P><P>crypto map dyn-map 1 ipsec-isakmp dynamic RemotSiteVPN1</P><P>crypto map dyn-map 2 match address outside_cryptomap_1</P><P>crypto map dyn-map 2 set peer 208.93.xxx.xxx </P><P>crypto map dyn-map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map dyn-map 2 set security-association lifetime seconds 28800</P><P>crypto map dyn-map 2 set security-association lifetime kilobytes 4608000</P><P>crypto map dyn-map 20 ipsec-isakmp dynamic cisco</P><P>crypto map dyn-map interface outside</P><P>crypto isakmp enable outside</P><P>crypto isakmp policy 20</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 3600</P><P>crypto isakmp policy 25</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 28800</P><P>crypto isakmp policy 50</P><P> authentication pre-share</P><P> encryption des</P><P> hash md5</P><P> group 2</P><P> lifetime 3600</P><P>telnet 10.10.0.0 255.255.0.0 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>dhcpd address 192.168.1.2-192.168.1.254 management</P><P>dhcpd enable management</P><P>!</P><P>dhcpd address 10.10.60.30-10.10.60.250 Room206</P><P>dhcpd dns 8.8.8.8 8.8.4.4 interface Room206</P><P>dhcpd lease 86400 interface Room206</P><P>dhcpd enable Room206</P><P>!</P><P>threat-detection basic-threat</P><P>threat-detection statistics</P><P>threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200</P><P>username xxxxxxx password xxxxxxxxxxxxxxxxxx encrypted privilege 15</P><P>tunnel-group DefaultL2LGroup ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group RemotSiteVPN1 type ipsec-l2l</P><P>tunnel-group RemotSiteVPN1 ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group 208.93.xxx.xxx type ipsec-l2l</P><P>tunnel-group 208.93.xxx.xxx ipsec-attributes</P><P> pre-shared-key *</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns migrated_dns_map_1</P><P> parameters</P><P>  message-length maximum 1024</P><P>policy-map global_policy</P><P> class inspection_default</P><P>  inspect dns migrated_dns_map_1 </P><P>  inspect ftp </P><P>  inspect h323 h225 </P><P>  inspect h323 ras </P><P>  inspect rsh </P><P>  inspect rtsp </P><P>  inspect sqlnet </P><P>  inspect skinny  </P><P>  inspect sunrpc </P><P>  inspect xdmcp </P><P>  inspect sip  </P><P>  inspect netbios </P><P>  inspect tftp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>Cryptochecksum:fbe6d8b4e95f180959e5692270b2d9d5</P><P>: end</P> Tue, 26 Mar 2019 00:50:27 GMT https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196493#M358908 Timothy Erk 2019-03-26T00:50:27Z Inter-VLAN firewall or routing issues... ping only. https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196494#M358909 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can you take the output of a "packet-tracer" command that simulates one of these connections that doesnt go through</P><P></P><P>For example</P><P></P><P><STRONG>packet-tracer input Room206 tcp 10.10.60.100 12345 10.10.5.19 80</STRONG></P><P><BR />- Jouni</P></BODY></HTML> Thu, 04 Apr 2013 19:33:06 GMT https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196494#M358909 Jouni Forss 2013-04-04T19:33:06Z Inter-VLAN firewall or routing issues... ping only. https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196495#M358910 <HTML><HEAD></HEAD><BODY><P>Sorry it took so long to get back. Here's the output. Maybe I'm blind, but it looks like each phase is allowed. </P><P></P><P>Phase: 1</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P></P><P>Phase: 2</P><P>Type: FLOW-LOOKUP</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P></P><P>Phase: 3</P><P>Type: UN-NAT</P><P>Subtype: static</P><P>Result: ALLOW</P><P>Config:</P><P>static (inside,Room206) 10.10.5.0 10.10.5.0 netmask 255.255.255.0 </P><P>nat-control</P><P>  match ip inside 10.10.5.0 255.255.255.0 Room206 any</P><P>    static translation to 10.10.5.0</P><P>    translate_hits = 0, untranslate_hits = 11040</P><P>Additional Information:</P><P>NAT divert to egress interface inside</P><P>Untranslate 10.10.5.0/0 to 10.10.5.0/0 using netmask 255.255.255.0</P><P></P><P></P><P>Phase: 4</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group wireless in interface Room206</P><P>access-list wireless extended permit ip any any </P><P>Additional Information:</P><P></P><P></P><P>Phase: 5</P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 6</P><P>Type: NAT</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>static (Room206,inside) 10.10.60.0 10.10.60.0 netmask 255.255.255.0 </P><P>nat-control</P><P>  match ip Room206 10.10.60.0 255.255.255.0 inside any</P><P>    static translation to 10.10.60.0</P><P>    translate_hits = 14727, untranslate_hits = 0</P><P>Additional Information:</P><P>Static translate 10.10.60.0/0 to 10.10.60.0/0 using netmask 255.255.255.0</P><P></P><P></P><P>Phase: 7</P><P>Type: NAT</P><P>Subtype: host-limits</P><P>Result: ALLOW</P><P>Config:</P><P>static (Room206,inside) 10.10.60.0 10.10.60.0 netmask 255.255.255.0 </P><P>nat-control</P><P>  match ip Room206 10.10.60.0 255.255.255.0 inside any</P><P>    static translation to 10.10.60.0</P><P>    translate_hits = 14727, untranslate_hits = 0</P><P>Additional Information:</P><P></P><P></P><P>Phase: 8</P><P>Type: NAT</P><P>Subtype: rpf-check</P><P>Result: ALLOW</P><P>Config:</P><P>static (inside,Room206) 10.10.5.0 10.10.5.0 netmask 255.255.255.0 </P><P>nat-control</P><P>  match ip inside 10.10.5.0 255.255.255.0 Room206 any</P><P>    static translation to 10.10.5.0</P><P>    translate_hits = 0, untranslate_hits = 11040</P><P>Additional Information:</P><P></P><P></P><P>Phase: 9</P><P>Type: NAT</P><P>Subtype: host-limits</P><P>Result: ALLOW</P><P>Config:</P><P>static (inside,Room206) 10.10.5.0 10.10.5.0 netmask 255.255.255.0 </P><P>nat-control</P><P>  match ip inside 10.10.5.0 255.255.255.0 Room206 any</P><P>    static translation to 10.10.5.0</P><P>    translate_hits = 0, untranslate_hits = 11040</P><P>Additional Information:</P><P></P><P></P><P>Phase: 10</P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 11</P><P>Type: FLOW-CREATION</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>New flow created with id 90518755, packet dispatched to next module</P><P></P><P></P><P>Phase: 12</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: output and adjacency</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>found next-hop 10.10.5.19 using egress ifc inside</P><P>adjacency Active</P><P>next-hop mac address 0023.7ddb.482e hits 0</P><P></P><P></P><P>Result:</P><P>input-interface: Room206</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: inside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P></BODY></HTML> Thu, 18 Apr 2013 15:29:29 GMT https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196495#M358910 Timothy Erk 2013-04-18T15:29:29Z Inter-VLAN firewall or routing issues... ping only. https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196496#M358911 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Well it does seem that the "packet-tracer" goes through just fine.</P><P></P><P>Are you trying to connect specifically using the internal IP address 10.10.5.19? Or is DNS involved?</P><P></P><P>Would you possibly need some other DNS servers in the DHCP configurations on the ASA? Perhaps some internal DNS server?</P><P></P><P>I guess if you want to make sure if any traffic is flowing between the 2 LAN networks you could take a capture</P><P></P><P><STRONG>access-list WIRELESS-CAP permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0</STRONG></P><P><STRONG>access-list WIRELESS-CAP permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.255.0</STRONG></P><P></P><P><STRONG>capture WIRELESS-CAP type raw-data access-list WIRELESS-CAP interface inside buffer 10000000 circular-buffer</STRONG></P><P></P><P>Naturally the capture ACL can be more specific if needed</P><P></P><P>After test you should be able to use the following commands to see if any traffic is captured</P><P></P><P><STRONG>show capture</STRONG></P><P></P><P>You should also use the command</P><P></P><P><STRONG>show capture WIRELESS-CAP</STRONG></P><P></P><P>To see what traffic was actually captured.</P><P></P><P>You could further copy the whole capture to a TFTP-server as a .pcap file to be opened with Wireshark</P><P></P><P><STRONG><SPAN>copy /pcap capture:WIRELESS-CAP t</SPAN><A class="jive-link-external-small" href="ftp://x.x.x.x/WIRELESS-CAP.pcap">ftp://x.x.x.x/WIRELESS-CAP.pcap</A></STRONG></P><P></P><P>You can remove the capture and its data from the ASA with command</P><P></P><P><STRONG>no capture WIRELESS-CAP</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Thu, 18 Apr 2013 17:27:11 GMT https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196496#M358911 Jouni Forss 2013-04-18T17:27:11Z Inter-VLAN firewall or routing issues... ping only. https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196497#M358912 <HTML><HEAD></HEAD><BODY><P>The end goal is to have it work with DNS, but for now I'm just using a port scanner to the IP of 10.10.5.19 and all ports come up with a no-reply.</P><P></P><P>I changed one of the DNS servers on the DHCP scope to an internal one, 10.10.5.24.</P><P></P><P>Set up the capture, opened in wireshark, ran a port scan, and here's a bit from the TCP section of the HTTP scan packet:</P><P>Transmission Control Protocol, Src Port: 49981 (49981), Dst Port: http (80), Seq: 2012523545, Len: 0</P><P>Acknowledgment number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set</P><P></P><P>How can I copy a whole expanded packet in text from Wireshark? I can't figure it out. </P></BODY></HTML> Thu, 18 Apr 2013 18:44:39 GMT https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196497#M358912 Timothy Erk 2013-04-18T18:44:39Z Inter-VLAN firewall or routing issues... ping only. https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196498#M358913 <HTML><HEAD></HEAD><BODY><P>Another little oddity is that I can't ping the interface addresses from the opposing network. So from VLAN 60, I can't ping 10.10.5.1. And from VLAN 5 I can't ping 10.10.60.1. </P><P></P><P>Devices on VLAN 5 are being given a gateway of 10.10.5.11, which is a L3 switch that the ASA inside interface is plugged into. I have no idea why they have that set that way here, instead of pointing everything at 10.10.5.1 as the default router. But I may be able to get the password to the DHCP server and change that.</P><P></P><P>And just as an FYI, the switch port that the ASA is plugged into (Cisco 3560G) is configured as follows:</P><P>interface GigabitEthernet0/21</P><P> description Uplink to ASA 5510 Inside</P><P> switchport trunk encapsulation dot1q</P><P> switchport trunk allowed vlan 1,2,5,20,51,60,250,260,999,1002-1005</P><P> switchport mode trunk</P><P></P><P>I configured another port on that same switch as an access port for VLAN 60, plugged in, got a DHCP address from 60, and still can't ping 10.10.5.1 or pass any ports to VLAN 5. I can ping everything else on VLAN 5, except the the interface address. I did this just to eliminate the wireless, and any other hops in the network. </P></BODY></HTML> Thu, 18 Apr 2013 19:03:09 GMT https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196498#M358913 Timothy Erk 2013-04-18T19:03:09Z Inter-VLAN firewall or routing issues... ping only. https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196499#M358914 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The problem with ICMP to the remote interface is how the ASA normally works. You wont be able to do this between the different LAN interfaces. In other words, you cant ping any other interface on the ASA other than the one behind which the host doing the ICMP is. (There are some exceptions with regards to connections coming from VPN)</P><P></P><P>Would it be possible to see the 3560G configurations?</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 18 Apr 2013 19:10:35 GMT https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196499#M358914 Jouni Forss 2013-04-18T19:10:35Z Inter-VLAN firewall or routing issues... ping only. https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196500#M358915 <HTML><HEAD></HEAD><BODY><P>Here it is. And thank you for helping me with this. I really appreciate it!</P><P></P><P></P><P>lstc-3560-core#sh run</P><P>Building configuration...</P><P> <SPAN style="font-size: 10pt;"> </SPAN></P><P>Current configuration : 3351 bytes</P><P>!</P><P>version 12.2</P><P>no service pad</P><P>service timestamps debug uptime</P><P>service timestamps log uptime</P><P><SPAN style="font-size: 10pt;">!</SPAN></P><P>hostname lstc-3560-core</P><P>!</P><P><SPAN style="font-size: 10pt;">no aaa new-model</SPAN></P><P>system mtu routing 1500</P><P>vtp mode transparent</P><P>ip subnet-zero</P><P>ip routing</P><P>!</P><P>!</P><P>!</P><P>!</P><P>no file verify auto</P><P>spanning-tree mode pvst</P><P>spanning-tree extend system-id</P><P>!</P><P>vlan internal allocation policy ascending</P><P>!</P><P>vlan 2,5</P><P>!</P><P>vlan 20</P><P> name voice</P><P>!</P><P>vlan 51,60,250,260</P><P>!</P><P>vlan 999</P><P> name MTS_DMZ</P><P>!</P><P>interface GigabitEthernet0/1</P><P><SPAN style="font-size: 10pt;">!</SPAN></P><P>interface GigabitEthernet0/2</P><P>!</P><P>interface GigabitEthernet0/3</P><P>!</P><P>interface GigabitEthernet0/4</P><P>!</P><P>interface GigabitEthernet0/5</P><P>!</P><P>interface GigabitEthernet0/6</P><P>!</P><P>interface GigabitEthernet0/7</P><P>!</P><P>interface GigabitEthernet0/8</P><P>!</P><P>interface GigabitEthernet0/9</P><P>!</P><P>interface GigabitEthernet0/10</P><P>!</P><P>interface GigabitEthernet0/11</P><P>!</P><P>interface GigabitEthernet0/12</P><P>!</P><P>interface GigabitEthernet0/13</P><P>!</P><P>interface GigabitEthernet0/14</P><P>!</P><P>interface GigabitEthernet0/15</P><P> switchport access vlan 60</P><P> switchport mode access</P><P>!</P><P>interface GigabitEthernet0/16</P><P> description HP Switch to Room 206</P><P> switchport trunk encapsulation dot1q</P><P> switchport trunk native vlan 60</P><P> switchport trunk allowed vlan 1,2,5,20,50,51,60,206,250,260,1002-1005</P><P> switchport mode trunk</P><P>!</P><P>interface GigabitEthernet0/17</P><P>!</P><P>interface GigabitEthernet0/18</P><P>!</P><P>interface GigabitEthernet0/19</P><P>!</P><P>interface GigabitEthernet0/20</P><P>!</P><P><STRONG>interface GigabitEthernet0/21</STRONG></P><P><STRONG> description Uplink to ASA 5510 Inside</STRONG></P><P><STRONG> switchport trunk encapsulation dot1q</STRONG></P><P><STRONG> switchport trunk allowed vlan 1,2,5,20,51,60,250,260,999,1002-1005</STRONG></P><P><STRONG> switchport mode trunk</STRONG></P><P>!</P><P>interface GigabitEthernet0/22</P><P> description Uplink to DMZ</P><P> switchport access vlan 51</P><P>!</P><P>interface GigabitEthernet0/23</P><P><SPAN style="font-size: 10pt;">!</SPAN></P><P>interface GigabitEthernet0/24</P><P> description Connection to MTSDMZ on ASA5510</P><P> switchport access vlan 999</P><P>!</P><P>interface GigabitEthernet0/25</P><P> description Uplink to mts-3b329-4006 Port Gi2/4</P><P> switchport trunk encapsulation isl</P><P> switchport trunk allowed vlan 250,260</P><P> switchport mode trunk</P><P>!</P><P>interface GigabitEthernet0/26</P><P> description Uplink to lstc-3548xl-sw1</P><P> switchport trunk encapsulation isl</P><P> switchport trunk allowed vlan 1,2,5,20,51,60,250,260,999,1002-1005</P><P> switchport mode trunk</P><P>!</P><P>interface GigabitEthernet0/27</P><P> description Uplink to lstc-3548xl-sw2 Gi0/1</P><P> switchport trunk encapsulation dot1q</P><P> switchport trunk native vlan 20</P><P> switchport trunk allowed vlan 1,2,5,20,51,60,250,260,999,1002-1005</P><P> switchport mode trunk</P><P>!</P><P>interface GigabitEthernet0/28</P><P> description Gigabit Uplink to lstc-3524xl-329 Gi0/1</P><P> switchport trunk encapsulation dot1q</P><P> switchport mode trunk</P><P>!</P><P>interface Vlan1</P><P> ip address 10.255.255.254 255.255.255.0</P><P>!</P><P>interface Vlan5</P><P> ip address 10.10.5.11 255.255.255.0</P><P>!</P><P>interface Vlan20</P><P> ip address 10.10.20.11 255.255.255.0</P><P>!</P><P>interface Vlan60</P><P> ip address 10.10.60.2 255.255.255.0</P><P>!</P><P>ip classless</P><P>ip route 0.0.0.0 0.0.0.0 10.10.5.1</P><P>ip http server</P><P>!</P><P>!</P><P>control-plane</P><P>!</P><P>!</P><P><SPAN style="font-size: 10pt;">end</SPAN></P><P></P><P></P><P>lstc-3560-core#</P></BODY></HTML> Thu, 18 Apr 2013 19:33:17 GMT https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196500#M358915 Timothy Erk 2013-04-18T19:33:17Z Inter-VLAN firewall or routing issues... ping only. https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196501#M358916 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Isnt there asymmetric routing going on here at the moment?</P><P></P><UL><LI>Host on Vlan60 sends TCP SYN to its default gateway which is ASA</LI><LI>Host on Vlan 5 receives TCP SYN and sends TCP SYN,ACK to its default gateway which is L3 Switch</LI><LI>The TCP SYN,ACK is sent from the L3 Switch directly to the host on Vlan60 since the L3 Switch can see it as a directly connected network</LI><LI>Host on Vlan60 sends TCP ACK to finalize the TCP connection negotiation and it sends it to its default gateway which is ASA</LI><LI>ASA has never seen the TCP SYN,ACK from the host on Vlan5 and therefore blocks the TCP ACK</LI><LI>Connection fails</LI></UL><P></P><P>Or this is atleast what came to my mind first. It might also explain why ICMP is working but not the TCP connections.</P><P></P><P>I guess you could try removing the Vlan60 interface so the L3 switch doesnt see that network as connected network but rather just distributes the Vlan60 throughout the switch network.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 18 Apr 2013 20:29:44 GMT https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196501#M358916 Jouni Forss 2013-04-18T20:29:44Z Inter-VLAN firewall or routing issues... ping only. https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196502#M358917 <HTML><HEAD></HEAD><BODY><P>We are seeing the same issue, same scenario, will answer if we resolve.</P></BODY></HTML> Mon, 30 Sep 2013 15:02:53 GMT https://community.cisco.com/t5/network-security/inter-vlan-firewall-or-routing-issues-ping-only/m-p/2196502#M358917 gfield 2013-09-30T15:02:53Z