cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1431
Views
9
Helpful
7
Replies

VLAN3 Routing Issues ASA5505

liskoe
Level 1
Level 1

My search-fu has failed me and I'm hoping someone here can point me in the right direction:

I'm having an issue with routing my traffic to a 3rd Vlan on my ASA5505.

I have my internal VLAN as VLAN1, it is IP address range 10.10.16.xxx
I need this network to be able to access resources on 2 seperate outside networks.

VLAN2 is 192.168.16.xx, and I have ZERO problems getting traffic between VLAN1 and VLAN2.

VLAN3 is 10.1.xx.xx and I am able to ping addresses on VLAN3 from within the ASA, but I am unable to ping or pass traffic from VLAN1 to VLAN3.

My configs (With passwords and outside addresses masked of course) are:

ASA Version 8.0(4)
!
hostname ciscoasa
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.16.1 255.0.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.16.6 255.255.255.0
!
interface Vlan3
no forward interface Vlan2
nameif outside2
security-level 50
ip address 10.1.6.36 255.255.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.16.10
access-list INSIDE extended permit icmp any any
access-list INSIDE extended permit ip any any
access-list OUTSIDE extended permit icmp any any
access-list OUTSIDE2 extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu SJC 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INSIDE in interface inside
access-group OUTSIDE in interface outside
access-group OUTSIDE2 in interface outside2
route outside 0.0.0.0 0.0.0.0 75.XX.XX.XX 1
route outside 75.XX.XX.XX 255.255.255.255 192.168.16.22 1
route outside 192.168.0.0 255.255.0.0 192.168.16.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.10.16.10
dhcpd domain sjcca.ad
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:55e8206ac7f658b009416f6…
: end

I'm using the basic license in this ASA, and since VLAN2 and VLAN3 are both outside it's fine for them to not pass traffic to each other. VLAN1 can pass traffic to VLAN2 no problem, and get replies back no problem. However when I try to pass traffic to an address in VLAN3 I get the timed out errors both on ICMP and IP traffic. HOWEVER: From within the ASA I can ping addresses on all 3 VLAN's. What am I missing to allow traffic from VLAN1 access to resources on both VLAN2 and VLAN3?

Thanks!

1 Accepted Solution

Accepted Solutions

I think you have license issues...

Here is link:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html

I know it's an old one, but nothing changed as far as I know. That is not full DMZ, so it cannot initate traffic, it can only reply for request coming from other 2 interaces (or something like that).

Also, don't mix 10.0.0.0/8 with 10.1.0.0/16 networks. so change your 255.0.0.0 to 255.255.0.0 mask, but I don't think it your issue.

View solution in original post

7 Replies 7

Allen P Chen
Level 5
Level 5

Hello,

A couple of thoughts here:

interface Vlan1

nameif inside

security-level 100

ip address 10.10.16.1 255.0.0.0

Not sure why you are using a /8 for the inside interface, as this would include the IP that is assigned to VLAN3 (10.1.6.36/16, which falls within 10.0.0.0/8).  VLAN1 and VLAN3 should not be in the same subnet, this needs to be corrected.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

The issue is you are requiring NAT to take place when traffic is originated from behind the inside interface.  You can resolve the issue by PAT'ing traffic to the DMZ interface:

global (outside2) 1 interface

With this configuration, when traffic from inside is destined to a host behind outside2, the traffic will be PAT'ed to the outside2 interface IP of 10.1.6.36. 

If you would like the IP to not be PAT'ed, then you can use this static NAT configuration:

static (inside,outside2)  mask

This will allow traffic to pass from VLAN1 to VLAN3 using its own IP address. 

Hope this helps.

This has been a very helpful answer.   I'll be trying out your suggestions this afternoon and I'll reply back if this resolved my issues.   I hadn't thought of the subnet issues on the VLAN1 interface.  (Admittedly I'm weak when it comes to mastering subnets) If I was to stay with the 10.10 scheme would you suggest that I go with 10.10.16.x/24 or should i consider overhauling the whole thing (Now is the time to do so) and go with something smaller like 172.16.0.0/12?

Hello,

 If I was to stay with the 10.10 scheme would you suggest that I go with  10.10.16.x/24 or should i consider overhauling the whole thing (Now is  the time to do so) and go with something smaller like 172.16.0.0/12?

With subnetting, the important number is the number behind the slash (/).  In your example, 10.10.16.x/24 is actually smaller than 172.16.0.0/12.

10.10.16.x/24 will allow 254 hosts within the subnet, while 172.16.0.0/12 will allow 1,048,574 hosts within the subnet.  You can use an online subnet calculator to check:

http://www.subnet-calculator.com/

The number of hosts that needs to be supported in a subnet should determine the subnet mask to use.  For most small networks, /24 is enough.

Hope this helps.

Can you supply us with:

show version

output?

There is licensing issue that might be at work here.

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 1 day 2 hours

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0    : address is 0023.XXXX.XXXX, irq 11
1: Ext: Ethernet0/0         : address is 0023.XXXX.XXXX, irq 255
2: Ext: Ethernet0/1         : address is 0023.XXXX.XXXX, irq 255
3: Ext: Ethernet0/2         : address is 0023.XXXX.XXXX, irq 255
4: Ext: Ethernet0/3         : address is 0023.XXXX.XXXX, irq 255
5: Ext: Ethernet0/4         : address is 0023.XXXX.XXXX, irq 255
6: Ext: Ethernet0/5         : address is 0023.XXXX.XXXX, irq 255
7: Ext: Ethernet0/6         : address is 0023.XXXX.XXXX, irq 255
8: Ext: Ethernet0/7         : address is 0023.XXXX.XXXX, irq 255
9: Int: Internal-Data0/1    : address is 0000.XXXX.XXXX, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : 50
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has a Base license.

Serial Number: JMXXXXXXXXXXXX
Running Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXX

Configuration register is 0x1
Configuration last modified by enable_15 at 16:37:44.077 UTC Mon Jun 13 2011

I think you have license issues...

Here is link:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html

I know it's an old one, but nothing changed as far as I know. That is not full DMZ, so it cannot initate traffic, it can only reply for request coming from other 2 interaces (or something like that).

Also, don't mix 10.0.0.0/8 with 10.1.0.0/16 networks. so change your 255.0.0.0 to 255.255.0.0 mask, but I don't think it your issue.

Thanks to all the great answers everyone.  It is indeed the license issue.   Sadly, I don't have the $500 to upgrade so I'm trying a different solution which is proving....interesting.   I'll be posting a different discussion in the proper section for help with that issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: