All,

I am having trouble getting inter-VLAN routing to work on an ASA 5505 with Security Plus. I have tried creating permit ACLs between the VLANs, doing NAT exemptions, etc but have not had any luck. Trunking seems to work fine because traffic goes from the switch all the way through the firewall fine it's just when I try to communicate across VLANs I have issues. The firewall log shows that it is creating and tearing down the connection but no traffic actually passes.

My sanitized config is below:

ASA Version 8.4(5)

!

hostname CLIENT-FW1

domain-name clientname.com

enable password {snip} encrypted

passwd {snip} encrypted

names

!

interface Ethernet0/0

switchport access vlan 6

!

interface Ethernet0/1

switchport trunk allowed vlan 1-5

switchport trunk native vlan 4000

switchport mode trunk

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

switchport access vlan 2

!

interface Ethernet0/5

switchport access vlan 2

!

interface Ethernet0/6

switchport access vlan 2

!

interface Ethernet0/7

switchport access vlan 2

!

interface Vlan1

nameif management

security-level 100

ip address 172.16.0.1 255.255.255.0

!

interface Vlan2

nameif data

security-level 100

ip address 172.16.2.1 255.255.255.0

!

interface Vlan3

nameif voice

security-level 100

ip address 172.16.3.2 255.255.255.0

!

interface Vlan4

nameif wireless

security-level 100

ip address 172.16.4.1 255.255.255.0

!

interface Vlan5

nameif guest

security-level 0

ip address 172.16.5.1 255.255.255.0

!

interface Vlan6

nameif outside

security-level 0

ip address AA.AA.AA.AA 255.255.255.248

!

boot system disk0:/asa845-k8.bin

ftp mode passive

clock timezone CT -6

dns domain-lookup management

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 172.16.2.2

domain-name clientname.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network NETWORK_OBJ_172.16.1.0_26

subnet 172.16.1.0 255.255.255.192

object network management-network

subnet 172.16.0.0 255.255.255.0

object network voice-network

subnet 172.16.3.0 255.255.255.0

object network data-network

subnet 172.16.2.0 255.255.255.0

object network guest-network

subnet 172.16.5.0 255.255.255.0

object network wireless-network

subnet 172.16.4.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging console critical

logging asdm informational

mtu management 1500

mtu data 1500

mtu voice 1500

mtu wireless 1500

mtu guest 1500

mtu outside 1500

ip local pool vpn-network 172.16.1.1-172.16.1.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (data,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_26 NETWORK_OBJ_172.16.1.0_26 no-proxy-arp route-lookup

!

object network management-network

nat (any,outside) dynamic interface

object network voice-network

nat (any,outside) dynamic interface

object network data-network

nat (any,outside) dynamic interface

object network guest-network

nat (any,outside) dynamic interface

object network wireless-network

nat (any,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAP_HRP protocol ldap

aaa-server LDAP_HRP (data) host 172.16.2.2

timeout 5

ldap-base-dn DC=clientname,DC=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

server-type microsoft

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http XX.XX.XX.XX 255.255.255.0 outside

http 172.16.0.0 255.255.255.0 management

http 172.16.2.0 255.255.255.0 data

http 172.16.3.0 255.255.255.0 voice

no snmp-server location

no snmp-server contact

sysopt noproxyarp management

sysopt noproxyarp data

sysopt noproxyarp voice

sysopt noproxyarp wireless

sysopt noproxyarp guest

telnet timeout 5

ssh 172.16.0.0 255.255.255.0 management

ssh 172.16.2.0 255.255.255.0 data

ssh XX.XX.XX.XX 255.255.255.0 outside

ssh timeout 10

ssh key-exchange group dh-group1-sha1

console timeout 10

dhcpd address 172.16.2.100-172.16.2.250 data

dhcpd dns 8.8.8.8 interface data

dhcpd domain client.local interface data

dhcpd enable data

!

dhcpd address 172.16.3.11-172.16.3.250 voice

dhcpd dns 8.8.8.8 interface voice

dhcpd domain client.local interface voice

dhcpd enable voice

!

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 149.20.68.17

webvpn

enable outside

anyconnect image disk0:/anyconnect-linux-3.1.02026-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 2

anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 3

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_client internal

group-policy GroupPolicy_client attributes

wins-server none

dns-server value 172.16.2.2

vpn-tunnel-protocol ssl-client

default-domain value clientname.com

{account info redacted}

tunnel-group client type remote-access

tunnel-group client general-attributes

address-pool vpn-network

authentication-server-group LDAP_client

default-group-policy GroupPolicy_client

tunnel-group {snip} webvpn-attributes

group-alias {snip} enable

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0a653b3710e7f8815459e7b4f6d97082

: end