cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

9564
Views
0
Helpful
12
Replies
ShibbyMike
Beginner

ASA 5505 Multi subnet/vlan routing question

Prefix....I'm new to Cisco equipment much more familiar w/ Sonicwall w/ that said......I have a 5505 w/ Security Plus licensing

I have set up multiple VLANs as follows

VLAN 1 inside - still setup as 192.168.1.1 (will not be using this for our lan)

VLAN2 - outside

VLAN100 - LAN 10.1.1.1/24

VLAN105 - SUPPORT 10.1.3/24

VLAN110 - QA - 10.1.2.1/24

VLAN120 - DMZ 192.168.251.1/28  (there is reason why this is like that)

VLAN130 - GUEST 10.1.100/24

When going VLAN to VLAN my packets are dropped due to a implicit deny all rule that I'm guessing was created when I made the VLANs and yes I know it should be there....even if I add a allow VLAN1 to VLAN100 rule

I know it's being dropped due to that rule because I can use the trace packet tool in the ASA

In the end my goal is

LAN <-> QA

LAN <-> SUPPORT

SUPPORT/QA/LAN -> DMZ (remote desktop pretty much)

GUEST -> Interwebz

INSIDE - will be shut down or used for admin purposes only

If I do add all the VLANs above I understand I will probably have to make a trunk port since I only have 5 usable interfaces

I know it's kinda of vague but I hope y'all get the idea..

@ home right now so I can't post the config

1 ACCEPTED SOLUTION

Accepted Solutions

Micheal,

I am sorry, I might have missed it earlier, we might need to add the following static commands:

static (inside,RWLAN) 192.168.1.100 192.168.1.100

static (inside,RWLAN) 10.1.2.100 10.1.2.100

It should work after this. If it doesn't then plz provide me the above mentioned outputs.

Keep me posted.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

12 REPLIES 12
varrao
Advocate

Hi Micheal,

Your description is a bit general at the moment, could you be a bit more specific and let me know the "show running-config" from your ASA, as well as between which particular VLAN's are you facing the issue. What type of traffic is being denied?

Thanks,

Varun

Thanks,
Varun Rao

Varun,

I tried creating a Firewall rule to allow inbound IP/ICMP traffic from VLAN1 to VLAN100 and the reverse and was still being denied by the implicit deny rule. Both interfaces have security set to 100 and i have allowed interfaces with the same security level to talk to each other, so I'm not sure how to fix this issue.

Thanks for the response I'll follow up tomorrow with a config and more details.

Micheal,

Thanks for the update, I understand the setup now and I guess a look at the config would be helpful, for going from VLAN 1 to VLAN 100, you need to have the follwoing checks:

Nat translation

Access-rule to allow the traffic

Route on the firewall for the packets

So as you said, if yuo can provide the config, iw ould check whether there is anything missing or not. Would wait for your reply.

Thanks,

Varun

Thanks,
Varun Rao

Varun,

Is it a static or Dynamic nat I need to configure?

Micheal,

You can use both, the correct would only be identified if you could be more specific with the requirement and provide just the vlan configuration done on the firewall, if you can provide it I can tell you the configuration that you would require.

Thanks,

Varun

Thanks,
Varun Rao

RWFW1(config)# show run
: Saved
:
ASA Version 8.2(1)
!
hostname RWFW1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.24 test description test computer
!
interface Vlan1
shutdown
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 216.2.3.4 255.255.255.248
!
interface Vlan100
nameif RWLAN
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface Vlan110
nameif RWQA
security-level 100
ip address 10.1.3.1 255.255.255.0
!
interface Vlan120
nameif DMZ
security-level 80
ip address 192.168.251.241 255.255.255.240
!
interface Vlan130
nameif RWGST
security-level 50
ip address 10.1.100.1 255.255.255.0
!
interface Vlan140
nameif RWVOIP
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 100
switchport trunk allowed vlan 100,140
switchport mode trunk
!
interface Ethernet0/3
switchport access vlan 110
!
interface Ethernet0/4
switchport access vlan 120
!
interface Ethernet0/5
switchport access vlan 130
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
object-group service RDP tcp-udp
description Remote Desktop
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu RWLAN 1500
mtu RWQA 1500
mtu DMZ 1500
mtu RWGST 1500
mtu RWVOIP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 216.2.3.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
Cryptochecksum:e6d5d7f0cd2778af988c891dd50d9121
: end

Let me reach office, i'll reply to your post

Varun

Thanks,
Varun Rao

Micheal,

As per your configuration, for going from Vlan 1 to Vlan 100, you would need the following Nat:

nat (inside) 10 0 0

global (RWLAN) 10 interface

same-security-traffic permit inter-interface

For going from Vlan 100 to Vlan 1, you would need the following:

nat (RWLAN) 11 0 0

global (inside) 11 interface

Apart fom this you would need a route for the packets, if these are not directly connected subnets:

route inside 0 0

route RWLAN 0 0

Let me know if this works out for you.

Thanks,

Varun

Thanks,
Varun Rao

Varun, I got  the following alert on my dashboard....

"No translation group found for icmp src RWLAN:10.1.2.100 dst insdie 192.168.1.100 (type 8, code 0)"

Hi Micheal,

Could you please provide me the following outputs:

show run nat

show run global

show xlate | in 10.1.2.100

This would be helful in isolating the issue

Thanks,

Varun

Thanks,
Varun Rao

Micheal,

I am sorry, I might have missed it earlier, we might need to add the following static commands:

static (inside,RWLAN) 192.168.1.100 192.168.1.100

static (inside,RWLAN) 10.1.2.100 10.1.2.100

It should work after this. If it doesn't then plz provide me the above mentioned outputs.

Keep me posted.

Thanks,

Varun

Thanks,
Varun Rao

Varun, thanks for your help, I'll post the config that ended up working for me tomorrow. I've ran across another problem since then but will put it in a different thread, thanks for are your help.

Create
Recognize Your Peers
Content for Community-Ad