Hi there,

As per my knowledge ASA is a layer 3 device, it can able to route the traffic between different subnet.

The ASA will not allow you to ping another interface while your PC is behind another interface.  I doubt abt your statement, beacuse before i configured the same senario and it works.

If i configure routing protocol and allow same security traffic allow statement, ASA should route the traffic between different subnet. plz correct me if i am wroung????

Thanks,

Abhishek

you are right by saying that ASA can be a L3 device but you dont need a dynamic routing protocol to route between two subnets which are directly connected to the ASA. These two subnets will appear as connected routes. You just need the same-security permit inter-interface command.

Regarding Pinging VLAN5 interface from VLAN1, you cannot do it. You might have done it on a router but it is a very basic check in the ASA alogrithm.The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.

Hi there,

I removed the eigrp from my config and apply same-security permit inter interface, by doing this on ASA 5505 can route the traffic between different subnet. I did that its not working.......

As you are agree that asa is layer 3 device, i have one question.....if i have two inside netwrok and i want to route the traffic between this two inside network through asa 5505 is that possible or not?? If yes than how can i do it??????

Thanks,

Abhishek

Yes, it is possible. Your configuration seems to be ok. However, i would recommend defining "swtichport access vlan 1" command under the physical interface where VLAN 1 is connected to. Secondly, if it is not working i would recommend defining mac addresses on the physical interfaces manually. By default, all the ports on a 5505 share the same MAC address. If your adjacent switch has some problems with this behaviour you can set virtual mac addresses manually using mac-address command under the Interface VLAN configuration. If it is still not working, can you run a debug icmp trace while pinging from a host in VLAN 5 to a host in VLAN1 or vice-versa. Also a show interface and show route output would be useful.

Also, i am assuming that you can ping the IP addresses on Inter vlan 1 and inter vlan 5 from respective VLANs. If the hosts from where you are pinging are a L3 hop away, i hope the routing has been set there properly.

regards

Zubair

######Please rate if this was helpful##############

Hi there,

After applied below commands both subnet can ping eachother,

VLAN 1 Inside Network

VLAN 5 Camera Network

I need both VLAN 1 and VLAN 5 Should talk to each other, and its working the only problem is VLAN 5 subnet host not able to access internert,

when i applied nat (camera) 1 0.0.0.0 0.0.0.0 both subnet stop pinging each other, able to access internet.

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
switchport trunk allowed vlan 1,5
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport trunk allowed vlan 1-5
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 32
!
interface Ethernet0/6

switchport access vlan 5

interface Vlan1
nameif inside
security-level 100
ip address 172.16.100.101 255.255.255.0 standby 172.16.100.102

interface Vlan5
nameif camera
security-level 100
ip address 192.168.22.1 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

global (inside) 2 interface
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (camera) 1 0.0.0.0 0.0.0.0---- once i removed this command both subnet able to ping each other but no internet access

i think its a nat issue,

Following is the out put of my packet tracer which clearly states packet drop beacuse of nat

ADA-# packet-tracer input camera icmp 192.168.22.2 255 255 172.16.100.11

Phase: 1
Type: UN-NAT
Subtype: dynamic
Result: ALLOW
Config:
Additional Information:
NAT divert to egress interface inside
Untranslate 172.16.100.11/0 to 172.16.100.11/0 using netmask 255.255.255.255

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

<--- More --->
             
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
<--- More --->
             
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (camera) 1 0.0.0.0 0.0.0.0
  match ip camera any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 167, untranslate_hits = 0
Additional Information:

Result:
input-interface: camera
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks,

Abhishek

I dont see the config of the outside interface below. I am assuming it is there. Use a different NAT ID and you should be good to go. you just need the below commands.Also i am not sure what the backup interface is?.  Remove the other nat and global commands.  VLAN 1 and VLAN 5 can still talk to each other unless you have not enabled nat-control.

nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

nat (camera) 2 0.0.0.0 0.0.0.0

global (outside) 2 interface

regards

Zubair

######Please rate if this was useful#########

Hi there,

Please find the attachment of my current config,  i applied the commands but no luck, i disable the no-natcontrol still no luck. Can you suggest other option, packet has been denided by

Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (camera) 2 0.0.0.0 0.0.0.0
  match ip camera any inside any
    dynamic translation to pool 2 (No matching global)
    translate_hits = 79, untranslate_hits = 0
Additional Information:

Result:
input-interface: camera
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks,

Abhishek

I dont know why the routes are configured the way they are right now. the next hops mentioned are the Interface IP's defined on the ASA itself???

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

route backup 0.0.0.0 0.0.0.0 2.2.2.2

I hope you have put these for reference only...

Can you ping any public IP like 4.2.2.2 from the ASA itself. If yes, then can you remove the global (backup) 2 commands and then test.

Hi, there

Yes the route which i used is only reference, in real i am using different IP address. I removed global (backup) 2 0.0.0.0 0.0.0.0

Yes from firewall i am able to ping 4.2.2.2, and able to access internet from 172.16.100.x subnet.

The only problem is i am not able to access internet from 192.168.22.x subnet, once i remove the command nat(camera) 2 0.0.0.0 0.0.0.0 i am able to access the internet but not able to ping other subnet,

Thanks,

Abhishek