Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
0
Helpful
1
Replies

ASA 5505 Vlan Routing issue

Henri de Necker
Level 1
Level 1

‎11-20-2014 03:52 AM - edited ‎03-11-2019 10:06 PM

Hi there All

I am trying to setup Vlan Routing on our ASA 5505. The Security Plus licence is active on it. I have read alot off post on this issue, but its seems that I have someting not in place.

I want to ping between my "inside" and "voip" network with IP's 192.168.1.0 and 192.168.2.0

Can anyone please help me with this

Here is my Config:

 

ciscoasa# sh run
: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 15
!
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
 switchport access vlan 5
!
interface Ethernet0/6
 speed 100
 duplex full
!
interface Ethernet0/7
 switchport access vlan 10
!
interface Vlan1
 nameif inside
 security-level 50
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan2
 nameif voip
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
 nameif camera
 security-level 50
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan4
 nameif Guest
 security-level 50
 ip address 192.168.4.1 255.255.255.0
!
interface Vlan5
 nameif Management
 security-level 50
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan10
 nameif profitek
 security-level 50
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan15
 nameif outside
 security-level 0
 ip address 192.168.15.2 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network voip-network
 subnet 192.168.2.0 255.255.255.0
object network inside-network
 subnet 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu voip 1500
mtu camera 1500
mtu Guest 1500
mtu Management 1500
mtu profitek 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo inside
icmp permit any voip
icmp permit any echo voip
no asdm history enable
arp timeout 14400
!
object network voip-network
 nat (voip,inside) static 192.168.2.0
object network inside-network
 nat (inside,voip) static 192.168.1.0
!
router eigrp 100
 network 192.168.1.0 255.255.255.0
 network 192.168.2.0 255.255.255.0
 network 192.168.3.0 255.255.255.0
 network 192.168.4.0 255.255.255.0
 network 192.168.5.0 255.255.255.0
 passive-interface outside
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c919a2399c63202b920a804264b28b3
: end
ciscoasa#

 

 

 

 

Thanks

Henri

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎11-20-2014 04:04 AM

Hi,

 

You dont need the NAT configurations between "inside" and "voip" so you could remove them from the configuration completely.

 

You also have the "same-security-traffic" configuration so that traffic can flow between these 2 interfaces with same "security-level" value set.

 

You dont seem to have any inspection configurations on your ASA which are there usually by default to my understanding.

 

It would be something like this for example

 

class-map inspection_default
 match default-inspection-traffic

 

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  no protocol-enforcement


policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect rtsp
  inspect skinny
  inspect pptp
  inspect esmtp
  inspect icmp
  inspect icmp error
  inspect ftp

 

service-policy global_policy global

 

You should have the above "inspect icmp" configurations on your ASA.

 

And as I said you could remove the "nat" configurations for these interfaces since you dont need them.

 

I also noticed that you have no NAT configured for outbound connections? If you want a basic Dynamic PAT configuration for that to handle all your internal networks then you could use this

 

nat (any,outside) after-auto source dynamic any interface

 

 

Hope this helps :)

 

- Jouni

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card