topic Re: Inter VLAN-Routing ASA 5505 in Network Security

Inter VLAN-Routing ASA 5505

Garland Moore — Mon, 11 Mar 2019 23:28:45 GMT

Hello,

Ive been readin all over the internet (including this site) trying to figure out if the asa can handle intervlan routing. Im not sure what I am missing on my config to get this to work. Ive read that it can work and Ive read that it cant work. Can someone lead me in the right direction on how to get this to work on my asa 5505.

Here is my setup

Cable Modem ---> ASA (eth0/0)

(eth0/2) -->unmanaged switch for LAN connectivity

(eth0/3) --> Access point for wireless LAN connectivty

My config is attached

What I would like to do is be able to communicate between vlan3(LAN) and vlan4(Wireless LAN)

Whats strange is I can RDP between the two vlans but I cant ping or anything else.

Any help is appreciated!

Inter VLAN-Routing ASA 5505

Jouni Forss — Tue, 10 Jul 2012 05:33:08 GMT

Hi,

Personally I would do the following

1.) Change the wifi interface security-level to something like 99

2.) remote the nat command: static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

3.) Configure icmp inspection so ICMP will pass through without opening both directions for the traffic (echo and reply)

4.) Build access-lists for each interface even though they might be simple

One option with the NAT you have is ofcourse using NAT0/NAT Exempt to tell the ASA that no translation between these networks will be done. Then again I think the ASA doesnt have the "nat-control" configured at the moment so removing both the static translations should still mean your 2 LAN networks should be able to reach each other wihtout using NAT.

- Jouni

Inter VLAN-Routing ASA 5505

Jouni Forss — Tue, 10 Jul 2012 05:33:56 GMT

The ICMP inspection configuration was

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Inter VLAN-Routing ASA 5505

Garland Moore — Wed, 11 Jul 2012 04:27:04 GMT

JouniForss, thanks for your response. I tried your suggested step and I was still unable to talk between the two vlans. Is my approach to this scenario wrong. I know ASA arent typically used as Layer devices but from what Ive been reading it can be done.

From my reading it seems like the following alone should allow me to talk across the vlans:

static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Sorry for all the questions, Im familiar with routing and switching. The ASA is kind of a different beast.

Another thing thats weird to me is that, when I do a packet trace is states that the packet is allowed. Any help is appreciated.

Inter VLAN-Routing ASA 5505

Jouni Forss — Wed, 11 Jul 2012 06:22:26 GMT

Hi,

There should be no problem using the ASA in this kind of setup. Though I'm more used to doing this with the other ASA models. ASA 5510 and onwards where the interface configurations change compared to the ASA5505 (no actual switch ports)

The "same-security-traffic" command basically either permit traffic between interfaces with same security-level or allow traffic to be sent out the same interface it originally came from. In this case only one of them should apply.

Seems strange to me that you can indeed use RDP connections but nothing else works. One would think the problem stems from something else than the firewall settings if some connections go through

Have you been able to send ICMP through the firewall after adding the commands I mentioned? There shouldnt be anything preventhing the Echos/Echo replys other than the devices sending them.

If you want to allow icmp echos on you ASAs interfaces you can use the command

icmp permit any

This command allows you to ping the ASAs interfaces. Notice though that you cant ping a ASA interface behind another ASA interface. You can only ping the interface behind which you are connected.

I typically allow ICMP on all interfaces that arent connected to public network/Internet.

Naturally, if you have some TCP connection that you can use to test traffic between these Vlans, try it out and at the same time monitor the traffic through ASDM and see what happens to the connection. Does the connection get built on the ASA but is it beeing torn down by SYN Timeout or whats happening?

- Jouni

Inter VLAN-Routing ASA 5505

Garland Moore — Thu, 12 Jul 2012 05:00:16 GMT

So Ive made the changes you suggested but Im still unable to get the functionality I am looking for. My config is below after the changes.

ASA Version 8.2(2)

hostname frw01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

interface Vlan3

no forward interface Vlan4

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

interface Vlan4

nameif inside

security-level 99

ip address 172.16.1.1 255.255.255.0

interface Vlan5

nameif insidewifi

security-level 100

ip address 172.16.2.1 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 3

interface Ethernet0/2

switchport access vlan 4

interface Ethernet0/3

switchport access vlan 5

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type DefaultICMP

description Default ICMP Types permitted

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list icmp_outside extended permit icmp any any object-group DefaultICMP

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any insidewifi

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-group icmp_outside in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username ******** password PNUmTwjDhevRqhkT encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3fcbac02b3e4b4e6919cf34a9137b4fb

Below is the error message that I receive when trying to connect to an access point on a different subnet.

Jul 11 2012

23:52:18

106001

172.16.1.200

50262

172.16.2.1

Inbound TCP connection denied from 172.16.1.200/50262 to 172.16.2.1/80 flags SYN on interface inside

Maybe I have some over kill here and should start from scratch and change my approach. It seems that my like of experience with the asa is part of the issue.

Suggestions or thoughts?

Re: Inter VLAN-Routing ASA 5505

Jouni Forss — Thu, 12 Jul 2012 06:26:12 GMT

Hi,

Seems to me that the log message implies that the host (inside) 172.16.1.200 is connecting to the ASA interface (insidewifi). (TCP SYN to interface IP)

This will naturally be blocked. In the same way an ICMP from behind the "inside" interface to the "insidewifi" would be blocked.

Why are you connecting to the ASA interface IP?

- Jouni

Re: Inter VLAN-Routing ASA 5505

Jouni Forss — Thu, 12 Jul 2012 06:34:11 GMT

Also,

Have you considered configuring a trunk between the ASA 5505 and the local switch? Since at the moment you just have access ports for all the Vlan interfaces on the ASA.

I presume you have gotten the ASA with something else than the Base license since you have over 3 interfaces on it. To my understanding.

Unfortunately i so rarely deal with the ASA5505 that I have forgotten some of the differences it has to the later models.

- Jouni

Re: Inter VLAN-Routing ASA 5505

Garland Moore — Thu, 12 Jul 2012 13:27:20 GMT

The log above was generated when trying to ping a host on a different vlan. I wasnt attempting to connect to the ASA interface IP/ The switch connected to the ASA is an unmanaged switch so I didnt think a trunk was necessary since everything connected to that switch will be on the same vlan.

The ASA does have a Security Plus license.

Re: Inter VLAN-Routing ASA 5505

Jouni Forss — Mon, 16 Jul 2012 09:12:31 GMT

Hi,

I guess by ping you are refering to some application testing TCP traffic (sameway the newer ASA software versions have TCP ping)? An actual ICMP echo wouldnt generate that message.

I assume the unmanaged switch is only connected to the port Ethernet0/2 on the ASA? (only for interface "inside" users)

- Jouni

Re: Inter VLAN-Routing ASA 5505

Ramraj Sivagnanam Sivajanam — Mon, 16 Jul 2012 09:35:07 GMT

Hi Bro

Based on your requirement as stated in this subject, you want to PING between Vlan3 and Vlan4. This is not hard. Just follow the comments I've give you below, and you will do just fine 🙂

!
interface Vlan3
no forward interface Vlan4 <-- remove this line!!!!!!!!!!!!!!!
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!

object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo <-- add this!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded

no access-list icmp_outside extended permit icmp any any object-group DefaultICMP
no access-group icmp_outside in interface outside

access-list guest permit icmp any any object-group DefaultICMP
access-list guest deny ip any any log
access-group guest in interface guest

access-list inside permit icmp any any object-group DefaultICMP
access-list inside deny ip any any log
access-group inside in interface inside

static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

By the way, could you also paste the output of this command "show threat-detection shun" here, as well.

If this still doesn't work, paste your latest show run output here. This should be easy and fast 🙂 Good luck bro

Re: Inter VLAN-Routing ASA 5505

Garland Moore — Tue, 17 Jul 2012 02:14:27 GMT

Ramraj, thanks for your response! Here what Im attempting to do...

I would like to have 4 VLANs

Vlan2 -- Outside

Vlan3 -- Guest Wifi

Vlan4 -- Inside LAN

Vlan5 -- Inside LAN Wifi

I would like to allow any communication between Vlan 4 and Vlan 5.

I would then like Vlan4 and Vlan5 to access Vlan 3 but not vice versa (not critical for this functionality to work)

I would like all the Vlans to have access to the internet.

I know the ASA is not a router but can act as one (kinda). The "show threat-detection shun" command didnt return any results. I appreciate any assistance with helping me get this up and running.

Here is my latest config

: Saved

ASA Version 8.2(2)

hostname frw01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

interface Vlan3

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

interface Vlan4

nameif inside

security-level 99

ip address 172.16.1.1 255.255.255.0

interface Vlan5

nameif insidewifi

security-level 100

ip address 172.16.2.1 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 3

interface Ethernet0/2

switchport access vlan 4

interface Ethernet0/3

switchport access vlan 5

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type DefaultICMP

description Default ICMP Types permitted

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list icmp_outside extended permit icmp any any object-group DefaultICMP

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any insidewifi

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-group icmp_outside in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username ***** password PNUmTwjDhevRqhkT encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

Re: Inter VLAN-Routing ASA 5505

Ramraj Sivagnanam Sivajanam — Tue, 17 Jul 2012 05:56:49 GMT

Hi Bro

Please delete / write erase your present FW configuration, and paste the configuration shown below. This will work. I've done it too many times, to know this will work 🙂

Please ensure the hub or switch connected to each of the FW interface is different, for security and network performance purposes e.g. Ethernet0/0 - 0/3.

As for the rules portion, let's keep it loose for now. Once all is good, we can then tighten them yaa 🙂

Let me know how it goes...

!
hostname FW01
enable password cisco
passwd cisco
!
interface Vlan2
description ### Link to Internet ###
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
description ### Link to GUEST WIFI ###
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
description ### Link to INSIDE LAN ###
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan5
description ### Link to INSIDE WIFI ###
nameif insidewifi
security-level 50
ip address 172.16.2.1 255.255.255.0
!
interface Ethernet0/0
description ### Link to Internet ###
switchport access vlan 2
!
interface Ethernet0/1
description ### Link to GUEST WIFI ###
switchport access vlan 3
!
interface Ethernet0/2
description ### Link to INSIDE LAN ###
switchport access vlan 4
!
interface Ethernet0/3
description ### Link to INSIDE WIFI ###
switchport access vlan 5
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!

no nat-control

!
same-security-traffic permit inter-interface
!
access-list inside extended permit ip any any
access-list outside extended permit ip any any
access-list guest extended permit ip any any
access-list insidewifi extended permit ip any any

access-group outside in interface outside
access-group inside in interface inside
access-group guest in interface guest
access-group insidewifi in interface insidewifi

global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 1 172.16.2.0 255.255.255.0

aaa authentication ssh console LOCAL
aaa authentication http console LOCAL

http server enable
http 172.16.1.0 255.255.255.0 inside

username cisco password cisco privilege 15

ssh 172.16.1.0 255.255.255.0 inside

management-access inside

dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay timeout 60
dhcprelay setroute guest
dhcprelay setroute insidewifi

Re: Inter VLAN-Routing ASA 5505

Garland Moore — Wed, 18 Jul 2012 04:01:22 GMT

Ok, so I took your advice and pasted your config. Now the only host on the inside vlan can get to the internet. The other vlans get ip addresses but that it. Ive gotta be missing something simple here.

Here is my config:

hostname FW01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

interface Vlan1

no nameif

no security-level

no ip address

interface Vlan2

description ### Link to Internet ###

nameif outside

security-level 0

ip address dhcp setroute

interface Vlan3

description ### Link to GUEST WIFI ###

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

interface Vlan4

description ### Link to INSIDE LAN ###

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

interface Vlan5

description ### Link to INSIDE WIFI ###

nameif insidewifi

security-level 50

ip address 172.16.2.1 255.255.255.0

interface Ethernet0/0

description ### Link to Internet ###

switchport access vlan 2

interface Ethernet0/1

description ### Link to GUEST WIFI ###

switchport access vlan 3

interface Ethernet0/2

description ### Link to INSIDE LAN ###

switchport access vlan 4

interface Ethernet0/3

description ### Link to INSIDE WIFI ###

switchport access vlan 5

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

ftp mode passive

same-security-traffic permit inter-interface

access-list inside extended permit ip any any

access-list outside extended permit ip any any

access-list guest extended permit ip any any

access-list insidewifi extended permit ip any any

pager lines 24

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

access-group outside in interface outside

access-group guest in interface guest

access-group inside in interface inside

access-group insidewifi in interface insidewifi

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

dhcpd ping_timeout 750

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay setroute guest

dhcprelay setroute insidewifi

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username ****** password PNUmTwjDhevRqhkT encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:28bf26da86f44244c8f0e4768f75ee70

: end

Re: Inter VLAN-Routing ASA 5505

Ramraj Sivagnanam Sivajanam — Wed, 18 Jul 2012 04:14:22 GMT

Hi Bro

You Cisco ASA config is good but I'm suprised only INSIDE can access the Internet. Can you confirm the following;

a) LAN users in insidewifi and guest can PING to its' gateway i.e. the Cisco ASA itself?

b) LAN users in insidewifi and guest can PING to any Public IP Address e.g. 8.8.8.8?

c) LAN users in insidewifi and guest can PING to any Public FQDN e.g. www.yahoo.com?

d) Is the DNS Server settings in insidewifi and guest correct? as in it's the same as inside users. Is the nslookup output the same?

e) Can you paste the show xlate, and show access-list output here?

Re: Inter VLAN-Routing ASA 5505

Garland Moore — Wed, 18 Jul 2012 05:22:46 GMT

I added the static nat commands below and my Vlans can now talk to the internet.

static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

Are these necessary?

Re: Inter VLAN-Routing ASA 5505

Ramraj Sivagnanam Sivajanam — Wed, 18 Jul 2012 05:37:43 GMT

This Is weird 🙂 I've never seen anything like this before. Are you sure you have keyed in the command "no nat-ncontrol"?

Re: Inter VLAN-Routing ASA 5505

Garland Moore — Thu, 19 Jul 2012 03:02:01 GMT

Bro,

From my understanding the ASA 5505 has nat control disabled by default. I issued the command anyway, and removed the static nat commands but I was still unable to access the internet. The only way internet access will work is if I have the static NAT commands.

Here is the config

ASA Version 8.2(2)

hostname FW01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

interface Vlan1

no nameif

no security-level

no ip address

interface Vlan2

description ### Link to Internet ###

nameif outside

security-level 0

ip address dhcp setroute

interface Vlan3

description ### Link to GUEST WIFI ###

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

interface Vlan4

description ### Link to INSIDE LAN ###

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

interface Vlan5

description ### Link to INSIDE WIFI ###

nameif insidewifi

security-level 50

ip address 172.16.2.1 255.255.255.0

interface Ethernet0/0

description ### Link to Internet ###

switchport access vlan 2

interface Ethernet0/1

description ### Link to GUEST WIFI ###

switchport access vlan 3

interface Ethernet0/2

description ### Link to INSIDE LAN ###

switchport access vlan 4

interface Ethernet0/3

description ### Link to INSIDE WIFI ###

switchport access vlan 5

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

ftp mode passive

same-security-traffic permit inter-interface

access-list inside extended permit ip any any

access-list outside extended permit ip any any

access-list guest extended permit ip any any

access-list insidewifi extended permit ip any any

pager lines 24

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

access-group guest in interface guest

access-group inside in interface inside

access-group insidewifi in interface insidewifi

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

dhcpd ping_timeout 750

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay setroute guest

dhcprelay setroute insidewifi

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username ******** password PNUmTwjDhevRqhkT encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6599fa7a5e196a7dfaa544f75cd64ae7

: end

Inter VLAN-Routing ASA 5505

Ramraj Sivagnanam Sivajanam — Sun, 22 Jul 2012 20:17:00 GMT

Hi Bro

I believe everything is working fine now. Please do paste your latest config here, so that the others could learn from your experience as well.

P/S: If you think this comment is useful, please do rate them nicely 🙂

Inter VLAN-Routing ASA 5505

Garland Moore — Sun, 22 Jul 2012 20:40:03 GMT

Here is the working config. Many thanks to Ramraj for his assistance!!!!!

ASA Version 8.2(2)

hostname FW01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

dns-guard

interface Vlan1

no nameif

no security-level

no ip address

interface Vlan2

description ### Link to Internet ###

nameif outside

security-level 0

ip address dhcp setroute

interface Vlan3

description ### Link to GUEST WIFI ###

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

interface Vlan4

description ### Link to INSIDE LAN ###

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

interface Vlan5

description ### Link to INSIDE WIFI ###

nameif insidewifi

security-level 50

ip address 172.16.2.1 255.255.255.0

interface Ethernet0/0

description ### Link to Internet ###

switchport access vlan 2

interface Ethernet0/1

description ### Link to GUEST WIFI ###

switchport access vlan 3

interface Ethernet0/2

description ### Link to INSIDE LAN ###

switchport access vlan 4

interface Ethernet0/3

description ### Link to INSIDE WIFI ###

switchport access vlan 5

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

banner exec

banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********

banner exec *

banner exec * This system is for the use of authorized users only.

banner exec * Individuals using this system are subject to having all of their

banner exec * activities on this system monitored and recorded by system

banner exec * personnel.

banner exec *

banner exec * Anyone using this system expressly consents to such monitoring

banner exec * and is advised that if such monitoring reveals possible

banner exec * evidence of criminal activity, system personnel may provide the

banner exec * evidence of such monitoring to law enforcement officials.

banner exec *

banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********

banner exec

banner exec Name:.......FW01

banner exec Address:....**********

banner exec Location:...CST -5

ftp mode passive

clock timezone CST -5

same-security-traffic permit inter-interface

access-list inside extended permit ip any any

access-list outside extended permit ip any any

access-list guest extended permit udp any host 172.16.1.102 eq domain

access-list guest extended permit udp any host 172.16.1.103 eq domain

access-list guest extended permit udp any any range bootps tftp

access-list guest extended deny ip any 172.16.1.0 255.255.255.0 log

access-list guest extended deny ip any 172.16.2.0 255.255.255.0 log

access-list guest extended permit ip any any

access-list insidewifi extended permit ip any any

no pager

logging enable

logging list TEST level alerts

logging buffered debugging

logging mail TEST

logging from-address *firewall domain name*

logging recipient-address *enter email address here* level errors

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

ip audit name FW01-INFO info action alarm

ip audit name FW01-ATTACK attack action alarm reset

ip audit interface outside FW01-INFO

ip audit interface outside FW01-ATTACK

ip audit signature 2000 disable

ip audit signature 2001 disable

ip audit signature 2004 disable

ip audit signature 2005 disable

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any guest

icmp permit any inside

icmp permit any insidewifi

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-group outside in interface outside

access-group guest in interface guest

access-group inside in interface inside

access-group insidewifi in interface insidewifi

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

fragment chain 1 outside

sysopt noproxyarp outside

service resetoutside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

dhcpd ping_timeout 750

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay setroute guest

dhcprelay setroute insidewifi

dhcprelay timeout 60

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.0.0

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 211.233.40.78

ntp server 61.153.197.226

ntp server 202.150.213.154 prefer

webvpn

username *username here* password PNUmTwjDhevRqhkT encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

smtp-server 173.194.79.109

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:69ead0d0578ac025238d9a7a25f48f13