cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


451
Views
0
Helpful
5
Replies
Beginner

5505 inter-VLAN routing

All,

I am having trouble getting inter-VLAN routing to work on an ASA 5505 with Security Plus. I have tried creating permit ACLs between the VLANs, doing NAT exemptions, etc but have not had any luck. Trunking seems to work fine because traffic goes from the switch all the way through the firewall fine it's just when I try to communicate across VLANs I have issues. The firewall log shows that it is creating and tearing down the connection but no traffic actually passes.

My sanitized config is below:

ASA Version 8.4(5)

!

hostname CLIENT-FW1

domain-name clientname.com

enable password {snip} encrypted

passwd {snip} encrypted

names

!

interface Ethernet0/0

switchport access vlan 6

!

interface Ethernet0/1

switchport trunk allowed vlan 1-5

switchport trunk native vlan 4000

switchport mode trunk

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

switchport access vlan 2

!

interface Ethernet0/5

switchport access vlan 2

!

interface Ethernet0/6

switchport access vlan 2

!

interface Ethernet0/7

switchport access vlan 2

!

interface Vlan1

nameif management

security-level 100

ip address 172.16.0.1 255.255.255.0

!

interface Vlan2

nameif data

security-level 100

ip address 172.16.2.1 255.255.255.0

!

interface Vlan3

nameif voice

security-level 100

ip address 172.16.3.2 255.255.255.0

!

interface Vlan4

nameif wireless

security-level 100

ip address 172.16.4.1 255.255.255.0

!

interface Vlan5

nameif guest

security-level 0

ip address 172.16.5.1 255.255.255.0

!

interface Vlan6

nameif outside

security-level 0

ip address AA.AA.AA.AA 255.255.255.248

!

boot system disk0:/asa845-k8.bin

ftp mode passive

clock timezone CT -6

dns domain-lookup management

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 172.16.2.2

domain-name clientname.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network NETWORK_OBJ_172.16.1.0_26

subnet 172.16.1.0 255.255.255.192

object network management-network

subnet 172.16.0.0 255.255.255.0

object network voice-network

subnet 172.16.3.0 255.255.255.0

object network data-network

subnet 172.16.2.0 255.255.255.0

object network guest-network

subnet 172.16.5.0 255.255.255.0

object network wireless-network

subnet 172.16.4.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging console critical

logging asdm informational

mtu management 1500

mtu data 1500

mtu voice 1500

mtu wireless 1500

mtu guest 1500

mtu outside 1500

ip local pool vpn-network 172.16.1.1-172.16.1.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (data,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_26 NETWORK_OBJ_172.16.1.0_26 no-proxy-arp route-lookup

!

object network management-network

nat (any,outside) dynamic interface

object network voice-network

nat (any,outside) dynamic interface

object network data-network

nat (any,outside) dynamic interface

object network guest-network

nat (any,outside) dynamic interface

object network wireless-network

nat (any,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAP_HRP protocol ldap

aaa-server LDAP_HRP (data) host 172.16.2.2

timeout 5

ldap-base-dn DC=clientname,DC=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

server-type microsoft

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http XX.XX.XX.XX 255.255.255.0 outside

http 172.16.0.0 255.255.255.0 management

http 172.16.2.0 255.255.255.0 data

http 172.16.3.0 255.255.255.0 voice

no snmp-server location

no snmp-server contact

sysopt noproxyarp management

sysopt noproxyarp data

sysopt noproxyarp voice

sysopt noproxyarp wireless

sysopt noproxyarp guest

telnet timeout 5

ssh 172.16.0.0 255.255.255.0 management

ssh 172.16.2.0 255.255.255.0 data

ssh XX.XX.XX.XX 255.255.255.0 outside

ssh timeout 10

ssh key-exchange group dh-group1-sha1

console timeout 10

dhcpd address 172.16.2.100-172.16.2.250 data

dhcpd dns 8.8.8.8 interface data

dhcpd domain client.local interface data

dhcpd enable data

!

dhcpd address 172.16.3.11-172.16.3.250 voice

dhcpd dns 8.8.8.8 interface voice

dhcpd domain client.local interface voice

dhcpd enable voice

!

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 149.20.68.17

webvpn

enable outside

anyconnect image disk0:/anyconnect-linux-3.1.02026-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 2

anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 3

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_client internal

group-policy GroupPolicy_client attributes

wins-server none

dns-server value 172.16.2.2

vpn-tunnel-protocol ssl-client

default-domain value clientname.com

{account info redacted}

tunnel-group client type remote-access

tunnel-group client general-attributes

address-pool vpn-network

authentication-server-group LDAP_client

default-group-policy GroupPolicy_client

tunnel-group {snip} webvpn-attributes

group-alias {snip} enable

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0a653b3710e7f8815459e7b4f6d97082

: end

5 REPLIES 5
Participant

5505 inter-VLAN routing

Hello,

What are the source and destination IP addresses?

Have you tried a packet tracer?

example:

let's say traffic comes from data interface to voice:

packet in data tcp 172.16.2.5 1025 192.16.2.5 80

Regards,

Felipe.

Beginner

5505 inter-VLAN routing

I ran a packet tracer awhile ago and it passed all stages.

Participant

5505 inter-VLAN routing

We need more information so we can help,

Source and destination IPs

output from packet tracer.

Next step will be to take captures.

Regards,

Felipe.

Beginner

5505 inter-VLAN routing

Hi lcambron,

In this packet tracer, I went from 172.16.2.99 to 172.16.3.10 (data to voice):

packet-tracer input data tcp 172.16.2.99 80 172.16.3.10 80 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca149f48, priority=1, domain=permit, deny=false

        hits=45279, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=data, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.16.3.0      255.255.255.0   voice

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca14a9f0, priority=2, domain=permit, deny=false

        hits=149, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=data, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca14de40, priority=0, domain=inspect-ip-options, deny=true

        hits=3414, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=data, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xca17beb8, priority=0, domain=inspect-ip-options, deny=true

        hits=36355, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=voice, output_ifc=any

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 41374, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: data

input-status: up

input-line-status: up

output-interface: voice

output-status: up

output-line-status: up

Action: allow

Thanks!

Ryan

Beginner

5505 inter-VLAN routing

Hey Ryan,

a couple of things to check:

- Do your clients have the proper gateways assigned? If not, add option 3 to your dhcpd config to manually specify the gateway IP (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_dhcp.html#wp1226197)

- Note that if you are by chance trying to ping the ASA interfaces themselves, you might run into problems:

https://supportforums.cisco.com/thread/2150831

- If you are trying to ping Windows clients, check that the Windows Firewall is disabled.

Hope this helps...