topic Re: Vlan to Vlan communication in Network Security

Vlan to Vlan communication

john.irizarry — Mon, 11 Mar 2019 16:15:53 GMT

Hello all,

I have created 3 vlans on my ASA 5505,

5,10,15,and 20

They are on Interface 0/4 and trunked to a switch port which is also configured as a trunk. All works great....EXCEPT

I have a printer on VLAN 20 (192.168.20.15) that folks on VLAN 5 and 15 need to print to. I have the vlans on the same security level and configured same-security-traffic-permit.

I am missing something very elementary, I'm sure. Can someone please provide the key to this puzzle?

Thanks!

John

Re: Vlan to Vlan communication

apdatasoft — Wed, 16 Sep 2009 08:18:24 GMT

Hi,

Try adding routes to all other interfaces similar to route inside. Check the gateway of the printer if still not responding

Thanks

Re: Vlan to Vlan communication

andrew.prince — Wed, 16 Sep 2009 08:46:52 GMT

Your issue appears to be NAT

Either created a nat0 for the vlan's or configure a static network nat.

HTH>

Re: Vlan to Vlan communication

john.irizarry — Wed, 16 Sep 2009 12:37:53 GMT

Thanks! created the following and now my users cannot get to the Internet

nat (Chappell) 0 access-list Chappell_access_in

nat (Burton) 0 access-list Burton_access_in

I already have the static access-list setup as follows for allowing access to the printer

static (User-Vlan,Burton) 192.168.20.15 192.168.20.15 netmask 255.255.255.255

static (User-Vlan,Chappell) 192.168.20.15 192.168.20.15 netmask 255.255.255.255

My route is

route inside 192.168.0.0 255.255.0.0 192.168.1.1 1

I'm stuck!

John

Re: Vlan to Vlan communication

andrew.prince — Wed, 16 Sep 2009 12:43:58 GMT

That is because you are using the wrong acl - at the end of the acls you are saying ip any any = do not nat anything - when you use these acl's with the no-nat config.

Remove:-

nat (Chappell) 0 access-list Chappell_access_in

nat (Burton) 0 access-list Burton_access_in

Config the below:-

access-list no-vlan-nat permit ip 192.168.5.0 255.255.255.0 host 192.168.20.15

access-list no-vlan-nat permit ip 192.168.15.0 255.255.255.0 host 192.168.20.15

nat (Chappell) 0 access-list no-vlan-nat

nat (Burton) 0 access-list no-vlan-nat

HTH>

Re: Vlan to Vlan communication

john.irizarry — Wed, 16 Sep 2009 13:04:54 GMT

Thanks! Would that be the same for a VPN use? VPN is 192.168.30.0

access-list no-vlan-nat permit ip 192.168.30.0 255.255.255.0 host 192.168.20.15

Thanks you! I'll try this now.

Re: Vlan to Vlan communication

andrew.prince — Wed, 16 Sep 2009 13:07:42 GMT

No - for VPN use you have to do a couple of things.....but why would you want remote VPN clients to print to a printer they are remote from?

Re: Vlan to Vlan communication

john.irizarry — Wed, 16 Sep 2009 13:13:09 GMT

I asked the same thing. Apparently the broker has an office at home and wants to print contracts on this printer for his staff when he is out of the office. I could use access to the vlan for RDP though.

Re: Vlan to Vlan communication

andrew.prince — Wed, 16 Sep 2009 13:20:58 GMT

Then all you need to do is add the remote VPN IP subnet to the interface no-nat access-list and it will be ok.

Re: Vlan to Vlan communication

john.irizarry — Wed, 16 Sep 2009 13:26:17 GMT

Thank you! I'll give it a shot. NAT always messes me up. Need to study it more.

Re: Vlan to Vlan communication

john.irizarry — Wed, 16 Sep 2009 18:10:04 GMT

So it would look like this, right?

access-list no-vlan-nat extended permit ip 192.168.30.0 255.255.255.0 host 192.168.20.0

VPN IP is 192.168.30.x

Thanks again for all your assisstance.

Re: Vlan to Vlan communication

andrew.prince — Thu, 17 Sep 2009 08:03:56 GMT

Yes - and you need to make sure the 192.168.20.0 subnet is in the encryption domain list for the remote vpn user.

Re: Vlan to Vlan communication

john.irizarry — Thu, 17 Sep 2009 12:43:49 GMT

That did not work. I cannot access the 20 network. Do I need a NAT 0 for VPN as well? That does not sound right. I should be able to access all the vlan's when I VPN in.

Re: Vlan to Vlan communication

andrew.prince — Thu, 17 Sep 2009 14:20:37 GMT

OK - lets debug the config, attach the config with all sensitive info removed.

Re: Vlan to Vlan communication

john.irizarry — Thu, 17 Sep 2009 14:26:45 GMT

ok, Thanks! Here it is. The config works perfectly for the exception of the VPN. I can VPN in, I can surf the web, so split tunnel is configured correctly, but I cannot access any of the VLANs.

Re: Vlan to Vlan communication

andrew.prince — Thu, 17 Sep 2009 15:05:12 GMT

OK - the acl KWRE_Split_Tunnel specifies the allowed network subnets sent to the vpn client for encryption.

Add the specific subnet/IP host to this and re-test.

Re: Vlan to Vlan communication

john.irizarry — Thu, 17 Sep 2009 15:29:33 GMT

ARGH!!! I see that!! Darn it! Ok. Here is what I have:

access-list KWRE_Split_Tunnel standard permit 192.168.1.0 255.255.255.0

It should read:

access-list KWRE_Split_Tunnel standard permit 192.168.0.0 255.255.255.0

This should work!

Re: Vlan to Vlan communication

john.irizarry — Thu, 17 Sep 2009 16:08:08 GMT

I added the following:

access-list KWRE_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0

access-list KWRE_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0

access-list KWRE_splitTunnelAcl standard permit 192.168.15.0 255.255.255.0

access-list KWRE_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

I can ping 192.168.1.1 but I cannot ping any other network, ie 192.168.20.15

Re: Vlan to Vlan communication

andrew.prince — Fri, 18 Sep 2009 06:52:10 GMT

post your config again with all the changes.

Re: Vlan to Vlan communication

john.irizarry — Fri, 18 Sep 2009 12:41:08 GMT

Ok, here it is.