topic Routing VLAN's internally on ASA 5510 in Network Security

Routing VLAN's internally on ASA 5510

psprscisco — Tue, 12 Mar 2019 00:47:26 GMT

I am currently in pre-production on a firewall and running into some areas where the configuration is beyond my skill level. We have 3 vlans (DATA, VoIP, ISCSI) and need to have the ability to go back and forth between these vlans freely.

Upon researching a bit I came up with the following configurations required in order to make this inter-vlan routing work (8.2 firmware on ASA 5510):

static (Inside,ISCSI) Inside-DATA Inside-ISCSI netmask 255.255.0.0

static (Inside,VOIP) Inside-DATA Inside-VoIP netmask 255.255.0.0

static (ISCSI,Inside) Inside-ISCSI Inside-DATA netmask 255.255.0.0

static (VOIP,Inside) Inside-VoIP Inside-DATA netmask 255.255.0.0

global (Outside) 1 interface

nat (Inside) 1 Inside-DATA 255.255.0.0

nat (VOIP) 1 Inside-VoIP 255.255.0.0

nat (ISCSI) 1 Inside-ISCSI 255.255.0.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Upon updating to 9.1, I was lucky enough to get a spat of these:

The following 'nat' command didn't have a matching 'global' rule on interface 'Inside' and was not migrated.

nat (Inside) 1 Inside-DATA 255.255.0.0

The following 'nat' command didn't have a matching 'global' rule on interface 'VOIP' and was not migrated.

nat (Inside) 1 Inside-DATA 255.255.0.0

The following 'nat' command didn't have a matching 'global' rule on interface 'ISCSI' and was not migrated.

nat (Inside) 1 Inside-DATA 255.255.0.0

The following 'nat' command didn't have a matching 'global' rule on interface 'Inside' and was not migrated.

nat (VOIP) 1 Inside-VoIP 255.255.0.0

The following 'nat' command didn't have a matching 'global' rule on interface 'VOIP' and was not migrated.

nat (VOIP) 1 Inside-VoIP 255.255.0.0

The following 'nat' command didn't have a matching 'global' rule on interface 'ISCSI' and was not migrated.

nat (VOIP) 1 Inside-VoIP 255.255.0.0

I do not know what it will take to get the inter-vlan routing working. Attached is my config minus some of the confidential info.

Re: Routing VLAN's internally on ASA 5510

Karsten Iwen — Tue, 15 Jan 2013 23:38:39 GMT

You don't need to specify any NAT-rules if you don't need to nat.

So I would remove all nat-rules that don't have an (xxx, outside) in the rule. Without these rules you can route through your vlans. You still need ACLs on these interfaces to allow traffic.

And please don't attach your config as Word-file. A plain textfile is better to handle.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Routing VLAN's internally on ASA 5510

psprscisco — Wed, 16 Jan 2013 22:03:01 GMT

I replaced the word document with an updated text document. Removed the nat rules and put in ACLS:

object-group network AllVLANS

network-object Inside-ISCSI 255.255.0.0

network-object Inside-VoIP 255.255.0.0

access-list VOIP_access_in extended permit ip 10.5.0.0 255.255.0.0 10.8.0.0 255.255.0.0

access-list Inside_access_in extended permit ip object-group AllVLANS 10.5.0.0 255.255.0.0

access-list ISCSI_access_in extended permit ip 10.5.0.0 255.255.0.0 object Inside-ISCSI-01

So this along with same-security-traffic permit inter-interface should allow the "Inside 10.5.0.0" vlan to access the ISCSI and VOIP networks?

Thanks for the help, greatly appreciated by this cisco padawan.

Re: Routing VLAN's internally on ASA 5510

Karsten Iwen — Wed, 16 Jan 2013 22:31:24 GMT

I think you screwed up your ACLs ...

The source is the network that is sitting on a specific interface, the destinations are the other networks. With that you need the following ACLs:

access-list Inside_access_in extended permit ip 10.5.0.0 255.255.0.0 object-group AllVLANS

access-list VOIP_access_in extended permit ip 10.8.0.0 255.255.0.0 10.5.0.0 255.255.0.0

access-list ISCSI_access_in extended permit ip object Inside-ISCSI-01 10.5.0.0 255.255.0.0

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Routing VLAN's internally on ASA 5510

psprscisco — Wed, 16 Jan 2013 22:34:00 GMT

Makes perfect sense. Thanks for the help!