Re: Cicsco ASA 5525 vlans

Mirzo · ‎12-07-2018

Dear all

I have issue between vlans. I created 8 vlans by port-channel In Cisco ASA 5525. I tried ping between two vlans but ping showed us "time out". Could you suggestion how to configure my asa than between two vlans is working .

Sorry my bad english

BR

Mirzo

shaps · ‎12-07-2018

Hi
By default the ASA will block pings, you can use a inspect icmp global policy to allow pings through between different networks
Rob

Mirzo · ‎12-07-2018

HI Shaps

How to do it. Could send me the example.

Thank you

Kasun Bandara · ‎12-07-2018

To ICMP inspection use below.

https://www.speaknetworks.com/enable-icmp-inspection-to-allow-ping-traffic-passing-asa/

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Kasun Bandara · ‎12-07-2018

Try this,

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s1.html#wp1422126

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Mirzo · ‎12-07-2018

Hi Kasun Bandara
You see blow my config:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxxx xxxx standby xxxxx
!
interface GigabitEthernet0/1
description LAN Failover Interface
!
interface GigabitEthernet0/2
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
interface Port-channel1
lacp max-bundle 8
nameif inside
security-level 100
no ip address
!
interface Port-channel1.10
vlan 10
nameif M
security-level 100
ip address 172.18.1.254 255.255.255.0 standby 172.18.1.253
!
interface Port-channel1.20
vlan 20
nameif S
security-level 100
ip address 172.18.2.254 255.255.255.0 standby 172.18.2.253
!
interface Port-channel1.30
vlan 30
nameif D
security-level 100
ip address 172.18.3.254 255.255.255.0 standby 172.18.3.253
!
interface Port-channel1.40
vlan 40
nameif I
security-level 100
ip address 172.18.4.254 255.255.255.0 standby 172.18.4.253
!
interface Port-channel1.50
vlan 50
nameif D
security-level 100
ip address 172.18.5.254 255.255.255.0 standby 172.18.5.253
!
interface Port-channel1.60
vlan 60
nameif I
security-level 100
ip address 172.18.6.254 255.255.255.0 standby 172.18.6.253
!
interface Port-channel1.70
vlan 70
nameif A
security-level 100
ip address 172.18.7.254 255.255.255.0 standby 172.18.7.253
!
interface Port-channel1.80
vlan 80
nameif N
security-level 100
ip address 172.18.8.254 255.255.255.0 standby 172.18.8.253
!
interface Port-channel1.90
vlan 90
nameif I
security-level 100
ip address 172.18.9.254 255.255.255.0 standby 172.18.9.253
!
ftp mode passive
clock timezone TJT 5
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network S
subnet 172.18.2.0 255.255.255.0
object network E
subnet 172.18.3.0 255.255.255.0
object network I
subnet 172.18.4.0 255.255.255.0
object network D
subnet 172.18.5.0 255.255.255.0
object network I
subnet 172.18.6.0 255.255.255.0
object network A
subnet 172.18.7.0 255.255.255.0
object network IN
subnet 172.18.8.0 255.255.255.0
object network N
subnet 172.18.9.0 255.255.255.0
object network M
subnet 172.18.1.0 255.255.255.0
access-list all extended permit ip any any
access-list icmp extended permit icmp any any
pager lines 24
logging enable
logging message 325007 level warnings
mtu inside 1500
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/1
failover key *****
failover interface ip failover 10.50.50.1 255.255.255.252 standby 10.50.50.2
route outside 0.0.0.0 0.0.0.0 xxxx 1

Kasun Bandara · ‎12-07-2018

Try with below command

policy-map global_policy
   class inspection_default
   inspect icmp

if you are using ASDM, go to service policy menu and edit global service policy to enable ICMP inspection

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Mirzo · ‎12-07-2018

I done this steps. but it does not help me

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection

Mirzo · ‎12-07-2018

My PC ip is 172.18.2.25 I tried to ping GW 172.18.2.254 ping going on successfully. than i try to ping other GW 172.18.3.254 whom installed other vlans my ping is showed time out. i did't reach other vlans

shaps · ‎12-07-2018

It may be worth removing the ACLs and letting the security zones do there thing, failing that check the hit count on the ACL and or run a packet capture and show all denied traffic, something like
packet capture NAME type asp real-time drop type all
This should help see what is going on