Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
0
Helpful
4
Replies

asa 5505 inter vlan routing

Allen Smith
Level 1
Level 1

‎02-26-2015 08:50 AM - edited ‎03-11-2019 10:33 PM

Hello,

 

We are running out of IP's. I created a superscope on our Microsoft DHCP server, 192.168.1.0-192.168.3.254

We have an ASA 5505 no router, and L2 cisco switches (SG300)

Clients get proper IP's from DHCP, but can not communicate between subnets

I can ping out to 8.8.8.8 but not with a qualified name

Can this be done with L2 devices ?

I have one vlan on the ASA and switches

Do I need to create VLAN 2 for the other subnets ?

Do I need a net work object on the ASA for each subnet ?

Static route from net obj to gateway ?

This is a 24/7 enviroment, very difficult to test live

Thanks very much

 

 

 

 

Labels:
0 Helpful
4 Replies 4

petenixon
Level 3
Level 3

‎02-26-2015 07:42 PM

What is your current gateway device, is it the ASA?

You can't do this solely at layer 2, you will need to configure an additional vlan on your access switches and the ASA.

Can you post your ASA config? It will make it easier to provide a solution :)

0 Helpful

Allen Smith
Level 1
Level 1
In response to petenixon

‎02-27-2015 12:21 PM

ok thanks alot

ASA Version 7.2(4) 
!

names

!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.252.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address  255.255.255.248 
!
interface Vlan12
 no forward interface Vlan1
 nameif dmz
 security-level 90

 ip address 10.10.10.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 12
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring

 
dns server-group DefaultDNS
 domain-name eagleindinc.local
same-security-traffic permit intra-interface
object-group service mailserver tcp
 port-object eq 3389
 port-object eq www
 port-object eq https
 port-object eq imap4
 port-object eq smtp
object-group service ftpserver tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq ssh
object-group network MXtoolbox
 network-object 208.123.79.0 255.255.255.0
 network-object 64.18.0.0 255.255.240.0
 network-object 70.90.41.0 255.255.255.0
object-group service SolarSoft tcp-udp
 description udp397
 port-object eq 397
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1

 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group service UDP397 udp
 description SolarSofts UDP
 port-object eq 397
object-group service tcp397 tcp
 description SolarSofts 397 port
 port-object eq 397
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object udp
 protocol-object tcp
object-group network BH
 network-object host BlockedHoste
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object udp
 protocol-object tcp


access-list outside_access_in extended deny object-group DM_INLINE_PROTOCOL_3 host  any 
access-list outside_access_in extended deny ip host  any 
access-list outside_access_in extended deny ip host  any 
access-list outside_access_in extended deny ip host  any 
access-list outside_access_in extended permit tcp any host  eq smtp 
access-list outside_access_in extended permit tcp any host  object-group mailserver 
access-list outside_access_in extended permit icmp host  any 
access-list outside_access_in extended permit tcp host  host  object-group tcp397 
access-list outside_access_in extended permit udp host  host  object-group UDP397 
access-list outside_access_in extended permit tcp any host  object-group ftpserver 
access-list outside_access_in extended permit tcp any host  eq https 
access-list outside_access_in remark testing incomming from mark c
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host  any 
access-list outside_access_in remark Dale Showers Home connection
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host  any inactive 
access-list remoteusers_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list remoteusers_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list edi extended permit ip host 192.168.1.123 any 
access-list edi extended permit ip any host 192.168.1.123 

              
access-list inside_access_in extended deny object-group DM_INLINE_PROTOCOL_4 object-group BH any 
access-list inside_access_in extended deny tcp any host  eq smtp 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any 
access-list inside_access_in extended permit icmp any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpn 192.168.15.0-192.168.15.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 10.10.10.0 255.255.255.0
static (inside,outside) tcp interface smtp 192.168.1.12 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.1.116 3389 netmask 255.255.255.255 

              
static (inside,outside) tcp interface https 192.168.1.12 https netmask 255.255.255.255 
static (inside,outside) tcp interface imap4 192.168.1.116 imap4 netmask 255.255.255.255 
static (inside,outside)  192.168.1.149 netmask 255.255.255.255 
static (inside,outside)  192.168.1.159 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.254.0 255.255.255.0 192.168.1.1 1
route outside 0.0.0.0 0.0.0.0 207.243.48.25 1
timeout xlate 15:00:00
timeout conn 15:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 192.168.1.3
 timeout 5
 nt-auth-domain-controller AD1
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

              
fragment timeout 15 inside
fragment timeout 15 outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 10.10.10.50-10.10.10.55 dmz
dhcpd dns 10.10.10.11 interface dmz
dhcpd option 3 ip 10.10.10.1 interface dmz

              
dhcpd enable dmz
!

priority-queue outside
ntp server  prefer
group-policy remoteusers internal
group-policy remoteusers attributes
 dns-server value 192.168.1.3 192.168.1.3
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remoteusers_splitTunnelAcl
 default-domain value eagleindinc.local
username 
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
 address-pool vpn
 authentication-server-group ActiveDirectory LOCAL
 default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
 pre-shared-key 
!
class-map edi_traffic
 match access-list edi
class-map inspection_default

match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect icmp 
policy-map QoS_policy
 class edi_traffic
  priority

              
!
service-policy global_policy global
service-policy QoS_policy interface outside

 

0 Helpful

petenixon
Level 3
Level 3
In response to Allen Smith

‎02-27-2015 06:02 PM

Hi,

Looking through the config, i'm guessing the 192.168.0.0/22 (vlan 1) subnet is the one that's currently running out of address space and you need to configure the next subnet on a new vlan?

Switch Config:

You will need to define the new vlan on your switches (vlan 3), and configure the access ports on the switches as trunk ports.

ASA Config:

Change the ASA access ports (connecting to your switches) into trunk ports:

int e0/0
switchport mode trunk
switchport trunk encapsulation dot1q

int e0/1
switchport mode trunk
switchport trunk encapsulation dot1q

Define the new vlan on the ASA:

interface vlan 3
nameif inside2
security-level 100
ip address 192.168.7.254 255.255.252.0 (I have defined the last available address in the subnet but you can change this to match your DHCP scope gateway address)


Permit communications between two interfaces:

same-security-traffic permit inter-interface (this won't bypass any ACLs you create on those interfaces)

NAT:

nat (inside2) 1 0.0.0.0 0.0.0.0

DHCP:

If your DHCP server does not have an interface in the new subnet, you will need to configure a DHCP relay.

dhcprelay server <dhcp ip address> <inside or dmz interface, whichever interface your dhcp sits on>
dhcprelay enable inside2
dhcprelay setroute inside2
dhcprelay timeout 60

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Allen Smith

‎03-01-2015 02:00 AM

Your issue is that you are running the Base license on the ASA so creating however many VLANs on the L2 switch will not help in routing between the subnets as you would need a device to do the routing, in this case the ASA.

Without the security plus license you will not be able to have more than 3 active VLANs and you will not be able to create trunk ports. and the 3rd VLAN will only be able to communicate with one other VLAN.

So unless you put a router between your ASA and the inside network you will need to upgrade to the Security Plus license.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card