cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


250
Views
0
Helpful
0
Replies
Highlighted
Beginner

ASA 5520 access to trunked VLANs from inside network

I have an ASA 5520 that has 3 VLANs trunked to it using sub-interfaces.  My management VLAN is the inside network.  What I'm trying to do is allow all traffic from the inside network to the other two VLANs so I can manage devices on those VLANs from the inside (management) VLAN.

 

The network topology is a little bit weird, but let me try and describe it to you.

 

I have a Cisco C3560G that has the ports divided up into 3 VLANs, with g0/32 being a trunk to the ASA g0/1 interface:

 

 

kat#sh run int g0/32
Building configuration...

Current configuration : 171 bytes
!
interface GigabitEthernet0/32
 description VLAN 10-12 to ASA g0/1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10-12
 switchport mode trunk
end

kat#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/49, Gi0/50, Gi0/51, Gi0/52
10   internal                         active    Gi0/1, Gi0/2, Gi0/3, Gi0/4, Gi0/5, Gi0/6
                                                Gi0/7, Gi0/8, Gi0/9, Gi0/10, Gi0/11, Gi0/12
                                                Gi0/13, Gi0/14, Gi0/15, Gi0/16, Gi0/41
                                                Gi0/42, Gi0/43, Gi0/44, Gi0/45, Gi0/46
                                                Gi0/47, Gi0/48
11   malware                          active    Gi0/17, Gi0/18, Gi0/19, Gi0/20, Gi0/21
                                                Gi0/22, Gi0/23, Gi0/24, Gi0/25, Gi0/26
                                                Gi0/27, Gi0/28, Gi0/29, Gi0/30, Gi0/31
12   mining                           active    Gi0/33, Gi0/34, Gi0/35, Gi0/36, Gi0/37
                                                Gi0/38, Gi0/39, Gi0/40
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
10   enet  100010     1500  -      -      -        -    -        0      0
11   enet  100011     1500  -      -      -        -    -        0      0
12   enet  100012     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

 

 

The ASA used to be the primary gateway for all 3 VLANs, but now it's only the gateway using NAT for the inside network.  The other two VLANs have their own gateways that run through a VPN tunnel.

 

 

VLAN 10: 10.0.10.0/24 -> 10.0.10.1 (ASA)
VLAN 11: 10.0.11.0/24 -> 10.0.11.1 (pfSense firewall w/VPN tunnel)
VLAN 12: 10.0.12.0/24 -> 10.0.12.1 (Linksys WRT3200 w/VPN tunnel)

 

My running config on the ASA 5520:

 

asa(config-subif)# show run
: Saved
:
: Serial Number: JMX1321L13X
: Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)23
!
hostname asa
domain-name int.redacted.com
enable password aPm5byzadEJJiPH6 encrypted
names
!
interface GigabitEthernet0/0
 description Verizon Fios uplink
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.10
 description Internal/Management VLAN
 vlan 10
 nameif inside
 security-level 100
 ip address 10.0.10.1 255.255.255.0
!
interface GigabitEthernet0/1.11
 description Malware VLAN
 vlan 11
 nameif malware
 security-level 10
 ip address 10.0.11.254 255.255.255.0
!
interface GigabitEthernet0/1.12
 description Mining VLAN
 vlan 12
 nameif mining
 security-level 90
 ip address 10.0.12.2 255.255.255.0
!
interface GigabitEthernet0/2
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup mining
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name int.redacted.com
dns server-group inside
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name int.redacted.com
dns server-group malware
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name mal.redacted.com
dns server-group mining
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name mine.redacted.com
dns-group inside
object network inside
 subnet 10.0.10.0 255.255.255.0
 description Internal network
object network malware
 subnet 10.0.11.0 255.255.255.0
 description Malware network
object network mining
 subnet 10.0.12.0 255.255.255.0
 description Mining network
object network revive-http
 host 10.0.12.254
object network revive-api
 host 10.0.12.254
access-list revive-acl extended permit ip any object revive-api
access-list revive-acl extended permit ip any object revive-http
pager lines 1024
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu malware 1500
mtu mining 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside
 nat (inside,outside) dynamic interface
object network revive-http
 nat (mining,outside) static interface service tcp www 5500
object network revive-api
 nat (mining,outside) static interface service tcp 5555 5555
access-group revive-acl in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.10.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh cipher encryption all
ssh cipher integrity all
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 10.0.10.100-10.0.10.225 inside
dhcpd enable inside
!
dhcpd address 10.0.11.100-10.0.11.225 malware
!
dhcpd address 10.0.12.100-10.0.12.225 mining
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.138.141.172
username jfa password 8gOcVb0zTsNHS6Ne encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map expressvpn
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1b76a58ca9515d95915376aa143d809f
: end

From the ASA I can ping devices on any of the VLANs as expected.  I know this is probably something super simple, but I'm pretty green.

 

So, in summary, VLAN 10 just needs to be able to access hosts on VLANs 11 & 12:

 

Yes: 10.0.10.0/24 -> 10.0.11.0/24
Yes: 10.0.10.0/24 -> 10.0.12.0/24

No: 10.0.11.0/24 -> 10.0.10.0/24
No: 10.0.11.0/24 -> 10.0.12.0/24

No: 10.0.12.0/24 -> 10.0.10.0/24
No: 10.0.12.0/24 -> 10.0.11.0/24

 

Thank you in advance for your help!

 

Everyone's tags (4)
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here