ASA 5506 - Need help routing traffic between sub interfaces

Gary Culler · ‎12-07-2015

Hello,

Need assistance with routing network between sub interface on the ASA. Right now, all my devices are in the infrastructure subnet (192.168.100.0/24) b/c i can't figure out how to get the ASA to route traffic between the vlan's on the sub interface. Looking for some asssistance.

The ASA is connected via a 802.1q trunk on Gig 1/2 to my switch. The ASA is the default gateway for all the VLAN's. I want to allow traffic all traffic between networks 192.168.100.0/24 - 192.168.130.0/24. The guest netwok in (192.168.190.0/24), i only want to allow DHCP/DNS to 192.168.100.10. I could continue to use the ASA for DHCP/DNS for just the Guest network but my goal is to create a single point of administration from a DHCP/DNS perspective.

Eventually i would like to move my DHCP server to the Server network (192.168.110.0) if I can finally get traffic allowed between the various networks. Can anyone please provide the commands to make this happen???

Below is my ASA config. I can post the switch config if needed but it's just a 802.1q trunk allowing all VLAN's. I have created SVI's for each network on the switch (192.168.x.4) and a layer 2 vlan for each network.

: Serial Number: <removed>
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.3(2)2
!
hostname <removed>
enable password <removed> encrypted
names
ip local pool vpn 192.168.1.200-192.168.1.220 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
description LAN Connection
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.100
description infrastructure
vlan 100
nameif infrastructure
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet1/2.110
description server
vlan 110
nameif server
security-level 100
ip address 192.168.110.1 255.255.255.0
!
interface GigabitEthernet1/2.120
description clients
vlan 120
nameif clients
security-level 100
ip address 192.168.120.1 255.255.255.0
!
interface GigabitEthernet1/2.130
description vpn
vlan 130
nameif vpn
security-level 90
ip address 192.168.130.1 255.255.255.0
!
interface GigabitEthernet1/2.190
description guest
vlan 190
nameif Guest
security-level 50
ip address 192.168.190.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa932-2-lfbff-k8.SPA
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE_HOST
subnet 192.168.1.0 255.255.255.0
object network <removed>
subnet 198.200.139.0 255.255.255.0
description <removed>
object network infrastructure
subnet 192.168.100.0 255.255.255.0
object network clients
subnet 192.168.120.0 255.255.255.0
object network vpn
subnet 192.168.130.0 255.255.255.0
object network Guest
subnet 192.168.190.0 255.255.255.0
object network server
subnet 192.168.110.0 255.255.255.0
access-list outside_access_in remark all connections for IP phone
access-list outside_access_in extended permit ip object <removed> 192.168.1.0 255.255.255.0
no pager
logging enable
logging asdm informational
mtu outside 1500
mtu infrastructure 1500
mtu server 1500
mtu clients 1500
mtu Guest 1500
mtu vpn 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network infrastructure
nat (infrastructure,outside) dynamic interface
object network clients
nat (clients,outside) dynamic interface
object network Guest
nat (Guest,outside) dynamic interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 infrastructure
http 192.168.110.0 255.255.255.0 server
http 192.168.120.0 255.255.255.0 clients
no snmp-server location
no snmp-server contact
snmp-server community *****
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
subject-name CN=<removed>,CN=<removed>
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate <removed>
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 8<removed>
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.100.0 255.255.255.0 infrastructure
ssh 192.168.110.0 255.255.255.0 server
ssh 192.168.120.0 255.255.255.0 clients
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 192.168.100.50-192.168.100.150 infrastructure
!
dhcpd address 192.168.110.50-192.168.110.150 server
!
dhcpd address 192.168.120.50-192.168.120.150 clients
!
dhcpd address 192.168.190.50-192.168.190.150 Guest
dhcpd enable Guest
!
dhcpd address 192.168.130.50-192.168.130.150 vpn
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 infrastructure vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-macosx-i386-4.1.02011-k9.pkg 1
anyconnect profiles <removed>
anyconnect enable
tunnel-group-list enable
error-recovery disable
group-policy <removed>
group-policy <removed>
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
default-domain none
webvpn
anyconnect profiles value <removed> type user
dynamic-access-policy-record DfltAccessPolicy
username <removed> password <removed> encrypted privilege 15
tunnel-group <removed> type remote-access
tunnel-group <removed> general-attributes
address-pool vpn
default-group-policy <removed>
tunnel-group <removed> webvpn-attributes
group-alias <removed> enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
sfr fail-open
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:<removed>
: end

Andre Neethling · ‎12-08-2015

Everything looks OK. For the DHCP of the guests you can add an ACL to permit bootp and dns and apply it inbound on the guest interface.

enable DHCP relay.

dhcprelay server <IP of Server> <interface name where server is>

dhcprelay enable Guest

I browsed through it very quickly, and the rest of your config looks ok. Just a question............ what is the purpose of the VPN interface?

Gary Culler · ‎12-09-2015

Hey Andre,

Routing between networks in the sub interfaces is not working

I tried these commands & it's working somewhat but not everything. Ping between all subnets is working but i can't SSH or HTTPS to my devices on different subnets for reason.. but I can RDP from a device in the client subnet to a device in the server subnet...??? but that same device in the client subnet cant' SSH or HTTPS to the WLC in the server subnet??? it's really odd.

object network obj_nat_infrastructure
subnet 192.168.100.0 255.255.255.0
object network obj_nat_server
subnet 192.168.110.0 255.255.255.0
object network obj_nat_clients
subnet 192.168.120.0 255.255.255.0
object network obj_nat_vpn
subnet 192.168.130.0 255.255.255.0

nat (infrastructure,server) source static obj_nat_infrastructure obj_nat_infrastructure
nat (infrastructure,clients) source static obj_nat_infrastructure obj_nat_infrastructure
nat (infrastructure,vpn) source static obj_nat_infrastructure obj_nat_infrastructure
nat (clients,infrastructure) source static obj_nat_clients obj_nat_clients
nat (clients,server) source static obj_nat_clients obj_nat_clients
nat (clients,vpn) source static obj_nat_clients obj_nat_clients
nat (vpn,infrastructure) source static obj_nat_vpn obj_nat_vpn
nat (vpn,server) source static obj_nat_vpn obj_nat_vpn
nat (vpn,clients) source static obj_nat_vpn obj_nat_vpn
nat (server,infrastructure) source static obj_nat_server obj_nat_server
nat (server,clients) source static obj_nat_server obj_nat_server
nat (server,vpn) source static obj_nat_server obj_nat_server
!

Andre Neethling · ‎12-10-2015

Is there a reason why you have NAT rules between your client, infrastructure and server vlans? You don't need to NAT between them, and it's probably better if you don't.

Remove the NAT rules between those interfaces, then test again.

Do you have communication between your DHCP/DNS and the guests?

Aaron Ekinaka · ‎08-14-2016

Gary-

Did you ever get this solved. We have a couple dozen ASA5506's deployed and the need has come up for using subinterfaces. I'm curious if you were able to get this working properly.

Unfortunately, there isn't a lot of real-world documentation / forum examples of these kinds of things on the 5506 platform.

Sergio Ceron Ramirez · ‎08-15-2016

Hello Aaron, what is your particular need with the use of subinterfaces? I may be able to assist you.