02-01-2013 09:57 AM - edited 03-11-2019 05:55 PM
All,
I am having trouble getting inter-VLAN routing to work on an ASA 5505 with Security Plus. I have tried creating permit ACLs between the VLANs, doing NAT exemptions, etc but have not had any luck. Trunking seems to work fine because traffic goes from the switch all the way through the firewall fine it's just when I try to communicate across VLANs I have issues. The firewall log shows that it is creating and tearing down the connection but no traffic actually passes.
My sanitized config is below:
ASA Version 8.4(5)
!
hostname CLIENT-FW1
domain-name clientname.com
enable password {snip} encrypted
passwd {snip} encrypted
names
!
interface Ethernet0/0
switchport access vlan 6
!
interface Ethernet0/1
switchport trunk allowed vlan 1-5
switchport trunk native vlan 4000
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
interface Vlan1
nameif management
security-level 100
ip address 172.16.0.1 255.255.255.0
!
interface Vlan2
nameif data
security-level 100
ip address 172.16.2.1 255.255.255.0
!
interface Vlan3
nameif voice
security-level 100
ip address 172.16.3.2 255.255.255.0
!
interface Vlan4
nameif wireless
security-level 100
ip address 172.16.4.1 255.255.255.0
!
interface Vlan5
nameif guest
security-level 0
ip address 172.16.5.1 255.255.255.0
!
interface Vlan6
nameif outside
security-level 0
ip address AA.AA.AA.AA 255.255.255.248
!
boot system disk0:/asa845-k8.bin
ftp mode passive
clock timezone CT -6
dns domain-lookup management
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 172.16.2.2
domain-name clientname.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_172.16.1.0_26
subnet 172.16.1.0 255.255.255.192
object network management-network
subnet 172.16.0.0 255.255.255.0
object network voice-network
subnet 172.16.3.0 255.255.255.0
object network data-network
subnet 172.16.2.0 255.255.255.0
object network guest-network
subnet 172.16.5.0 255.255.255.0
object network wireless-network
subnet 172.16.4.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging console critical
logging asdm informational
mtu management 1500
mtu data 1500
mtu voice 1500
mtu wireless 1500
mtu guest 1500
mtu outside 1500
ip local pool vpn-network 172.16.1.1-172.16.1.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (data,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_26 NETWORK_OBJ_172.16.1.0_26 no-proxy-arp route-lookup
!
object network management-network
nat (any,outside) dynamic interface
object network voice-network
nat (any,outside) dynamic interface
object network data-network
nat (any,outside) dynamic interface
object network guest-network
nat (any,outside) dynamic interface
object network wireless-network
nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_HRP protocol ldap
aaa-server LDAP_HRP (data) host 172.16.2.2
timeout 5
ldap-base-dn DC=clientname,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http XX.XX.XX.XX 255.255.255.0 outside
http 172.16.0.0 255.255.255.0 management
http 172.16.2.0 255.255.255.0 data
http 172.16.3.0 255.255.255.0 voice
no snmp-server location
no snmp-server contact
sysopt noproxyarp management
sysopt noproxyarp data
sysopt noproxyarp voice
sysopt noproxyarp wireless
sysopt noproxyarp guest
telnet timeout 5
ssh 172.16.0.0 255.255.255.0 management
ssh 172.16.2.0 255.255.255.0 data
ssh XX.XX.XX.XX 255.255.255.0 outside
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 10
dhcpd address 172.16.2.100-172.16.2.250 data
dhcpd dns 8.8.8.8 interface data
dhcpd domain client.local interface data
dhcpd enable data
!
dhcpd address 172.16.3.11-172.16.3.250 voice
dhcpd dns 8.8.8.8 interface voice
dhcpd domain client.local interface voice
dhcpd enable voice
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 149.20.68.17
webvpn
enable outside
anyconnect image disk0:/anyconnect-linux-3.1.02026-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 2
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 3
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_client internal
group-policy GroupPolicy_client attributes
wins-server none
dns-server value 172.16.2.2
vpn-tunnel-protocol ssl-client
default-domain value clientname.com
{account info redacted}
tunnel-group client type remote-access
tunnel-group client general-attributes
address-pool vpn-network
authentication-server-group LDAP_client
default-group-policy GroupPolicy_client
tunnel-group {snip} webvpn-attributes
group-alias {snip} enable
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0a653b3710e7f8815459e7b4f6d97082
: end
02-01-2013 10:07 AM
Hello,
What are the source and destination IP addresses?
Have you tried a packet tracer?
example:
let's say traffic comes from data interface to voice:
packet in data tcp 172.16.2.5 1025 192.16.2.5 80
Regards,
Felipe.
02-01-2013 10:45 AM
I ran a packet tracer awhile ago and it passed all stages.
02-01-2013 10:47 AM
We need more information so we can help,
Source and destination IPs
output from packet tracer.
Next step will be to take captures.
Regards,
Felipe.
02-01-2013 10:51 AM
Hi lcambron,
In this packet tracer, I went from 172.16.2.99 to 172.16.3.10 (data to voice):
packet-tracer input data tcp 172.16.2.99 80 172.16.3.10 80 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca149f48, priority=1, domain=permit, deny=false
hits=45279, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=data, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.3.0 255.255.255.0 voice
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca14a9f0, priority=2, domain=permit, deny=false
hits=149, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=data, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca14de40, priority=0, domain=inspect-ip-options, deny=true
hits=3414, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=data, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xca17beb8, priority=0, domain=inspect-ip-options, deny=true
hits=36355, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=voice, output_ifc=any
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 41374, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: data
input-status: up
input-line-status: up
output-interface: voice
output-status: up
output-line-status: up
Action: allow
Thanks!
Ryan
02-02-2013 12:40 AM
Hey Ryan,
a couple of things to check:
- Do your clients have the proper gateways assigned? If not, add option 3 to your dhcpd config to manually specify the gateway IP (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_dhcp.html#wp1226197)
- Note that if you are by chance trying to ping the ASA interfaces themselves, you might run into problems:
https://supportforums.cisco.com/thread/2150831
- If you are trying to ping Windows clients, check that the Windows Firewall is disabled.
Hope this helps...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide