11-20-2014 03:52 AM - edited 03-11-2019 10:06 PM
Hi there All
I am trying to setup Vlan Routing on our ASA 5505. The Security Plus licence is active on it. I have read alot off post on this issue, but its seems that I have someting not in place.
I want to ping between my "inside" and "voip" network with IP's 192.168.1.0 and 192.168.2.0
Can anyone please help me with this
Here is my Config:
ciscoasa# sh run
: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 15
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 4
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
speed 100
duplex full
!
interface Ethernet0/7
switchport access vlan 10
!
interface Vlan1
nameif inside
security-level 50
ip address 192.168.1.2 255.255.255.0
!
interface Vlan2
nameif voip
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
nameif camera
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface Vlan4
nameif Guest
security-level 50
ip address 192.168.4.1 255.255.255.0
!
interface Vlan5
nameif Management
security-level 50
ip address 192.168.5.1 255.255.255.0
!
interface Vlan10
nameif profitek
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Vlan15
nameif outside
security-level 0
ip address 192.168.15.2 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network voip-network
subnet 192.168.2.0 255.255.255.0
object network inside-network
subnet 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu voip 1500
mtu camera 1500
mtu Guest 1500
mtu Management 1500
mtu profitek 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo inside
icmp permit any voip
icmp permit any echo voip
no asdm history enable
arp timeout 14400
!
object network voip-network
nat (voip,inside) static 192.168.2.0
object network inside-network
nat (inside,voip) static 192.168.1.0
!
router eigrp 100
network 192.168.1.0 255.255.255.0
network 192.168.2.0 255.255.255.0
network 192.168.3.0 255.255.255.0
network 192.168.4.0 255.255.255.0
network 192.168.5.0 255.255.255.0
passive-interface outside
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c919a2399c63202b920a804264b28b3
: end
ciscoasa#
Thanks
Henri
11-20-2014 04:04 AM
Hi,
You dont need the NAT configurations between "inside" and "voip" so you could remove them from the configuration completely.
You also have the "same-security-traffic" configuration so that traffic can flow between these 2 interfaces with same "security-level" value set.
You dont seem to have any inspection configurations on your ASA which are there usually by default to my understanding.
It would be something like this for example
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
no protocol-enforcement
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect sqlnet
inspect sunrpc
inspect tftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect rtsp
inspect skinny
inspect pptp
inspect esmtp
inspect icmp
inspect icmp error
inspect ftp
service-policy global_policy global
You should have the above "inspect icmp" configurations on your ASA.
And as I said you could remove the "nat" configurations for these interfaces since you dont need them.
I also noticed that you have no NAT configured for outbound connections? If you want a basic Dynamic PAT configuration for that to handle all your internal networks then you could use this
nat (any,outside) after-auto source dynamic any interface
Hope this helps :)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide