Solved: ASA 5505. Unable to reach ASA's VLAN-IP, between different VLAN'

amir · ‎10-07-2011

I have an ASA 5505 with 4 VLAN's

Vlan1 - inside

vlan2 - outside

vlan20 - wireless

vlan30 - wireless-guest

When sitting on e.g Vlan20, should I be able to reach the ip address of any other of the ASA's vlan interface ip-address?

Computers on each VLAN is only able to reach their own default-gateway on their respective VLAN.

Thanks

ASA Version 8.2(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan20

nameif WLAN

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Vlan30

nameif wireless-guest

security-level 100

ip address 192.168.30.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport trunk allowed vlan 1,20,30

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/3

switchport access vlan 30

!

interface Ethernet0/4

switchport access vlan 20

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network obj_any

access-list OUTSIDE-IN extended permit icmp any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu WLAN 1500

mtu wireless-guest 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

icmp permit any WLAN

icmp permit any wireless-guest

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (WLAN) 1 0.0.0.0 0.0.0.0

nat (wireless-guest) 1 0.0.0.0 0.0.0.0

access-group OUTSIDE-IN in interface inside

access-group OUTSIDE-IN in interface outside

access-group OUTSIDE-IN in interface WLAN

access-group OUTSIDE-IN in interface wireless-guest

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password eY/fQXw7Ure8Qrz7 encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

message-length maximum client auto

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Julio Carvajal · ‎10-08-2011

Hello Amir,

You are not going to be able to ping a distant interface, this is a default secuirity feature used by the ASA as a security Device.

Now you should be able to get to other vlan hosts, just not to to the ASA distant interface.

Hope this helps.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

cadet alain · ‎10-07-2011

Hi,

1)interface Ethernet0/2

switchport trunk allowed vlan 1,20,30 what about VLAN 2? ---> sw tr allowed vlan add 2

2)You are doing NAT so you must do it also for traffic between same security interface

Regards.

Alain.

Don't forget to rate helpful posts.

Kureli Sankar · ‎10-08-2011

Does the GW on the respective vlans have route to the other vlans via the firewall?

check the syslogs and see what that says

conf t

loggin on

logging buffered 7

exit

sh logg | i x.x.x.x

where x.x.x.x is one of the IPs in one vlan that isn't able to reach another host on another vlan.

-Kureli

Julio Carvajal · ‎10-08-2011

Hello Amir,

You are not going to be able to ping a distant interface, this is a default secuirity feature used by the ASA as a security Device.

Now you should be able to get to other vlan hosts, just not to to the ASA distant interface.

Hope this helps.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

amir · ‎10-09-2011

That was my first guess. And yes, I am able to reach other vlan hosts. Just needed to confirm that it's a build-in seurity feature. Now i know

Thank you all for the replies.

Cheers!

Julio Carvajal · ‎10-09-2011

Hello Amir,

I am glad this help, anyother question just let us know.

Have a great day

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ASA 5505. Unable to reach ASA's VLAN-IP, between different VLAN's