Re: Moving from ASA 5505 to 5510 - VLAN Issue - Page 2

jones-jeremy · ‎12-12-2012

I am changing out a Cisci 5505 for a 5510, however i am having issue with the vlans

With the 5505 in place eveything was working well, upgraded to a 5510

The devices behind the FW on the 192.168.x.x network can no longer communicate.

THe configs are basically identical up to the Interfaces.

The issue is the VLANs, however i am not sure how to get past it.

ASA 5505 Config

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.X.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.252

ASA 5510 COnfiguration

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address x.x.x.X 255.255.255.252

!

interface Ethernet0/1

no nameif

security-level 100

no ip address

!

interface Ethernet0/2

no nameif

security-level 100

no ip address

!

interface Ethernet0/3

no nameif

security-level 100

no ip address

!

interface Management0/0

nameif Inside

security-level 100

ip address 192.168.X.1 255.255.255.0

Jouni Forss · ‎12-13-2012

Hi,

Can you post the actual log message.

Whats strange to me is that the traffic is even coming to your firewall.

You shouldnt need the ASA firewall at all when you are connection from a host on 192.168.x.0/24 to another host on the same network.

Is the case at the moment so that every pc behind the ASA can reach Internet but the pcs can't connect to eachother?

- Jouni

jones-jeremy · ‎12-13-2012

All the devices behind can browse without issue.

Here is the the message, it only started showing up after the "same-security-traffic permit intra-interface" command

3 Dec 13 2012 12:48:41 305006 192.168.x.6 7 portmap translation creation failed for tcp src Inside:192.168.x.5/7 dst Inside:192.168.x.6/7

Jouni Forss · ‎12-13-2012

Hi,

Well this is strange.

So all traffic to Internet is working but traffic inside the LAN isnt working AND is for some reason getting forwarded to the ASA even though the PCs should see eachother in the subnet without help from any router.

Are you sure that there is no Private Vlan type configurations on the switch? That the switch would prevent communicating with any other port other than the uplink to ASA? I'm not too familiar with the specifics of the Private Vlan switch configurations but I just cant imagine what the problem could be in such a simple setup.

If you have Windows machines, can you do

Windows/Start menu
Run
Type -> cmd
Type -> arp -a
- Does the ARP table list the other hosts in the same switch or only the default gateway?

- Jouni

jones-jeremy · ‎12-16-2012

THank you for your help.. It works now.

I rebooted all devices behind the firewall and everthing is good now.

Thank you again

cadet alain · ‎12-13-2012

Hi,

ok yep you're right , gonna give you 5 for showing me that sometimes it's worth thinking before posting.

Regards.

Alain

Don't forget to rate helpful posts.