Solved: Re: ASA 5505 InterVLAN routing... - Page 2

John Bachman · ‎08-06-2013

Hello, Yes, I did read lots of post here on ASA5505 intervlan routing, I tried a few idea form few posts, but still I can not make this work

Packet tracer works,I can ping in between VLAN, but with a real device, I cant.

I have devices on VLAN 1 port 0/1 192.168.1.0 and I can not ping (or talk to) devices on VLAN12 192.168.10.0 port 0/5

I have build NAT and access lists, I guess I do not need routing as the 2 networks are directly connected...

Any ideas ?

Thanks !

ASA Version 8.2(1)

!

hostname ciscoasa

enable password 9jNfZuG3TC5tCVH0 encrypted

passwd b9rdqCG21C.trMZp encrypted

names

!

interface Vlan1

nameif House-LAN

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif ISP-OUTSIDE

security-level 0

ip address dhcp

!

interface Vlan12

nameif WIFI

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 12

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list WIFI extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list WIFI extended permit ip 192.168.10.0 255.255.255.0 xx.xx.xx.xx 255.255.255.0

access-list House-LAN extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list House-LAN extended permit ip 192.168.1.0 255.255.255.0 xx.xx.xx.xx 255.255.255.0

access-list ISP-OUTSIDE extended permit ip xx.xx.xx.xx 255.255.255.0 192.168.1.0 255.255.255.0

access-list ISP-OUTSIDE extended permit ip xx.xx.xx.xx 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu House-LAN 1500

mtu ISP-OUTSIDE 1500

mtu WIFI 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (ISP-OUTSIDE) 1 interface

nat (House-LAN) 0 access-list House-LAN

nat (House-LAN) 1 0.0.0.0 0.0.0.0

nat (ISP-OUTSIDE) 0 access-list ISP-OUTSIDE

nat (WIFI) 0 access-list WIFI

nat (WIFI) 1 0.0.0.0 0.0.0.0

route ISP-OUTSIDE 0.0.0.0 0.0.0.0 74.57.152.1 1

route WIFI 192.168.10.0 255.255.255.0 192.168.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 House-LAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 House-LAN

ssh timeout 60

ssh version 2

console timeout 0

dhcp-client client-id interface ISP-OUTSIDE

dhcpd auto_config ISP-OUTSIDE

!

dhcpd address 192.168.1.5-192.168.1.36 House-LAN

dhcpd dns 8.8.8.8 interface House-LAN

dhcpd domain homelab.com interface House-LAN

dhcpd enable House-LAN

!

dhcpd address 192.168.10.5-192.168.10.150 WIFI

dhcpd dns 8.8.8.8 interface WIFI

dhcpd domain homelab.com interface WIFI

dhcpd enable WIFI

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server xx.xx.xx.xx source ISP-OUTSIDE prefer

webvpn

username jbachman password tvTwKjq/0Pm2Xeh6 encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d7043c017eea909d8dcabf0e3649fc14

: end

turbo_engine26 · ‎08-09-2013

Really sorry for late reply.

I can see that Windows firewall is the root cause of every host networking issue. I have a long story with it and sometimes it causes frustration especially when your configuration is 100 % correct.

Packet tracer looks good too as expected.

Now, let me clarify that you Do Not need any ACLs to be applied on either House-LAN or WIFI because same security interfaces are by default allowed to access each other without any policy as long as you issue the same-security-traffic command which you already did. Because we used packet tracer on both directions with successful results, then i think we cannot blame the network anymore. So far as i can see, your configuration is correct. We need to focus now on why the ipad device cannot reach any of the VLAN1's device. Because i never use it, i am not sure if the airvideo application supports RTP/RTSP. If this is the case, then we need to classify an RTP traffic in a new class map. But i am not sure yet, let me collect more information about the App. and get back to you.

Global policy is applied globally to all ASA's interfaces.

Regards,

AM

John Bachman · ‎08-09-2013

Thanks AM,

Air Video runs on the server, and the APP runs on the iPAD. It is used to stream video over the wifi on the iPAD.

But, I notice no traffic is routed in between VLANs, -execpt for the ping, witch makes me beleive the interfaces are block by a default policy

So does this means I need to delete the ACL I have set up ? I was also told that the

same-security-traffic permit inter-interface same-security-traffic permit intra-interface no longer apply because I am using NAT exempt...

Before I got the ASA on the ISP. I had a consumer Cisco e4200 and airvideo worked for years. Now that the 2 VLAN are on ASA inside interfaces, it no longer can communicate with anything, and same for SSH, telnet and all programs running on VLAN12 to VLAN 2. (except ping!!).

It might still be the PC that is blocking all the services, but why would it block when the ASA is wide open ? and all works fine with the e4200 ?

I thought it might be a public or private network in the W7 firewall but all firewall is off.

But if you say that Global policy is applied globally to all ASA's interfaces, dont I need to tell the ASA to INSPECT all these services ?(airvideo, TCP, UDP, SSH, TELNET etc.) none of them are define on Global policy...might this be the problem ?

turbo_engine26 · ‎08-09-2013

I might go ahead and remove the ACL :

These ACLs are used in nat statements. What i meant are the ACLs that are applied to an interface. So, do not remove them.

I was also told that the

same-security-traffic permit inter-interface same-security-traffic permit intra-interface no longer apply because I am using NAT exempt...

I think this is not true, It is working with me in 8.4. I think you need to enable nat-control in 8.2 to allow this.

But if you say that Global policy is applied globally to all ASA's interfaces, dont I need to tell the ASA to INSPECT all these services ?(airvideo, TCP, UDP, SSH, TELNET etc.) none of them are define on Global policy...might this be the problem ?

The Global policy already defines 15 application layer protocols.

Regards,

AM

turbo_engine26 · ‎08-09-2013

John,

I tested everything in my lab using version 8.0, configured the inside and DMZ interfaces with same security interface, configured same-security-traffic command and all are working fine.

Let me ask you, are you using a router or unmanaged switch behind the ASA's inside interface? what is the default gateway of your internal hosts?

Can you talk more about your internal connectivity?

Regards,

AM

John Bachman · ‎08-09-2013

I do have a e4200 as an AP for my WIFI on 192.168.10.0

And my ASA is connected to that e4200... The devices gets the DGW 192.168.10.1, and it is the actual VLAN 12 ASA interface address..The actual IP of the e4200 is 192.168.10.2

I will geive this a try....

hostname(config)# dhcpd option 3 ip gateway_ip

If you do not use the DHCP option 3 to define the default gateway, DHCP clients use the IP address of the management interface. The management interface does not route traffic

turbo_engine26 · ‎08-09-2013

What about the House-LAN?

John Bachman · ‎08-09-2013

yes, it also gave the WIFI DGW to the house-lan VLAN !!!

still looking.... But I am close.

turbo_engine26 · ‎08-09-2013

Ok, make sure that all default gateway information is correct.

Hosts in VLAN12 should have 192.168.10.1 as their DGW

Hosts in VLAN1 should have 192.168.1.1 as their DGW

I also would recommend to pickup a single device in each VLAN and assign them a static IP configuration just for testing to clear all doubts.

Another important recommendation, try to use another VLAN rather than VLAN1 (i.e VLAN100) as VLAN1 is sometimes used by ASA for control traffic such as VTP, PAgP,LACP,..etc and it shouldn't be used by user traffic.

Regards,

AM

John Bachman · ‎08-09-2013

Ok,

there is no way to change the DGW on the dhcpd. It will always take the interface IP address as it's DGW

The thing is I am using a e4200 as an AP to connect to WIFI, and even if I have disabled the firewwall in it, it is sitting between the wifi devices and the ASA. Since the Cisco e4200 Yellow (internet) port are not bridged with the BLUE (device) ports I have to connect the ASA and the devices (lan and wifi) all on the BLUE ports... I think this is the root of the problem. The e4200 even if it gives me access to Internet, it can not route the other services thru it.... (ssh, airvideo, telnet etc.)

I will to connect a PC directly on the ASA on VLAN12, to see if I can SSH thru the ASA on VLAN1 -bypassing the AP

I will also try using VLAN 100 instead.

John Bachman · ‎08-09-2013

Got it working.

Had a bad route and the ASA, had to setup the e4200 as bridged network. With the new fireware, it is possibe to assign an IP to the e4200 and set up as 100% AP, witch bypasses de firewall. (even if the firewall was off in reoute mode)

Thanks to all here, AM. Julio, Jouni and all that really helped in poking my ASA.

I'll keep on studing and getting my 5th Cisco cert..

John Bachman.

turbo_engine26 · ‎08-09-2013

Glad to hear that it's working with you.

Please feel free to ask any questions at any time.

Regards,

AM