ā08-07-2012 03:52 AM - edited ā03-11-2019 04:39 PM
Hello,
Im trying to get my asa to route between 7 vlan's (later on i will restric access to some of them with access-lists), but i have a few problems with it.
My setup is ASA5510 - 4503e - 3750 - IBM Bladecenter
The clients (VLAN10) will be connectet on the 4503e
A PC connected to the 4503e, assigned to the vlan's can ping the gateway (ASA), but it cant ping any of the other gateways or servers.
A user connection in with Anyconnect cant ping anything.
____________________
ASA config is as follow:
Result of the command: "sh run"
: Saved
:
ASA Version 8.4(4)1
!
hostname XXX-XX-XX
domain-name XxXxX.XXX
enable password QM5nOAE9UWKOiQfB encrypted
passwd 2DQFnbWIDI.2KMeU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.10
description VLAN 10
vlan 10
nameif VLAN10
security-level 100
ip address 10.0.11.254 255.255.254.0
!
interface Ethernet0/3.20
description VLAN 20
vlan 20
nameif VLAN20
security-level 90
ip address 10.0.23.254 255.255.252.0
!
interface Ethernet0/3.30
description VLAN 30
vlan 30
nameif VLAN30
security-level 100
ip address 10.0.30.254 255.255.255.0
!
interface Ethernet0/3.40
description VLAN 40
vlan 40
nameif VLAN40
security-level 100
ip address 10.0.40.254 255.255.255.0
!
interface Ethernet0/3.50
description VLAN 50
vlan 50
nameif VLAN50
security-level 100
ip address 10.0.50.254 255.255.255.0
!
interface Ethernet0/3.120
description VLAN 120
vlan 120
nameif VLAN120
security-level 100
ip address 10.0.120.254 255.255.255.0
!
interface Ethernet0/3.121
description VLAN 121
vlan 121
nameif VLAN121
security-level 100
ip address 10.0.121.254 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
regex matchall "."
ftp mode passive
dns domain-lookup VLAN10
dns domain-lookup VLAN20
dns domain-lookup VLAN120
dns domain-lookup VLAN121
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name XxXxX.XXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-vlan10
subnet 10.0.10.0 255.255.254.0
description VLAN 10
object network obj-vlan20
subnet 10.0.20.0 255.255.252.0
description VLAN 20
object network obj-vlan30
subnet 10.0.30.0 255.255.255.0
description VLAN 30
object network obj-vlan40
subnet 10.0.40.0 255.255.255.0
description VLAN 40
object network obj-vlan50
subnet 10.0.50.0 255.255.255.0
description VLAN 50
object network obj-vlan120
subnet 10.0.120.0 255.255.255.0
description VLAN 120
object network obj-vlan121
subnet 10.0.50.0 255.255.255.0
description VLAN 121
object network obj-range-homeuser
range 192.168.0.1 192.168.0.30
description for homeusers
object network IPv6-homeuser
description For homeusers
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list outside_access_in extended permit ip object obj-range-homeuser object obj-vlan121
access-list outside_access_in extended permit ip object obj-range-homeuser object obj-vlan120
access-list outside_access_in extended permit ip object obj-range-homeuser any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu VLAN10 1500
mtu VLAN20 1500
mtu VLAN30 1500
mtu VLAN40 1500
mtu VLAN50 1500
mtu VLAN120 1500
mtu VLAN121 1500
ip local pool IPv4-homeuser 192.168.0.1-192.168.0.30 mask 255.255.255.224
ipv6 local pool IPv6-homeuser fd61:5309:a095:ea4e::1/64 30
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (outside,outside) source dynamic obj-range-homeuser interface description internet access to homeusers
!
object network obj-vlan10
nat (VLAN10,outside) dynamic interface
object network obj-vlan20
nat (VLAN20,outside) dynamic interface
object network obj-vlan30
nat (VLAN30,outside) dynamic interface
object network obj-vlan50
nat (VLAN121,outside) dynamic interface
object network obj-vlan121
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http 192.168.0.0 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
!
! REMOVED ALL CRYPTO AS IT IS DEFAULT SETTINGS
!
telnet timeout 5
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.0.08057-k9.pkg 1
anyconnect enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy GPO-homeuser internal
group-policy GPO-homeuser attributes
banner value !!! All trafick is going in to the tunnel!!!
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
default-domain value intops.dk
split-tunnel-all-dns enable
address-pools value IPv4-homeuser
ipv6-address-pools value IPv6-homeuser
username CIS-1312 password XXXXXXXXXX encrypted privilege 0
username CIS-1312 attributes
vpn-group-policy GPO-homeuser
service-type remote-access
username CIS-1311 password XXXXXXXXXX encrypted privilege 15
username CIS-1311 attributes
vpn-group-policy GPO-homeuser
tunnel-group TG-homeuser type remote-access
tunnel-group TG-homeuser general-attributes
address-pool IPv4-homeuser
ipv6-address-pool IPv6-homeuser
default-group-policy GPO-homeuser
tunnel-group TG-homeuser webvpn-attributes
group-alias homeuser enable
!
class-map type regex match-any DomainLogList
match regex matchall
class-map type inspect http match-all LogDomainsClass
match request header host regex class DomainLogList
class-map inspection_default
match default-inspection-traffic
class-map global-log_url
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
policy-map type inspect http http_inspection_policy_url-lookup
description log url string
parameters
class LogDomainsClass
log
!
class global-log_url
inspect http http_inspection_policy_url-lookup
: end
_______________________
Running config from 4503e:
Building configuration...
Current configuration : 2321 bytes
!
version 12.2
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
vtp domain ''
vtp mode transparent
ip subnet-zero
no ip domain-lookup
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
power redundancy-mode redundant
!
vlan internal allocation policy ascending
!
vlan 10
name VLAN10
!
vlan 20
name VLAN20
!
vlan 30
name VLAN30
!
vlan 40
name VLAN40
!
vlan 50
name VLAN50
!
vlan 120
name VLAN120
!
vlan 121
name VLAN121
!
interface GigabitEthernet1/1
description AMM - 1
!
interface GigabitEthernet1/2
description AMM - 2
!
interface GigabitEthernet1/3
description TS-3100
!
interface GigabitEthernet1/4
description DS-3512 - bravo
!
interface GigabitEthernet1/5
description DS-3512 - alfa
!
interface GigabitEthernet1/6
!
interface GigabitEthernet1/11
!
interface GigabitEthernet1/12
description ASA 0/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/20
!
interface GigabitEthernet2/1
!
interface GigabitEthernet3/6
!
interface Vlan1
no ip address
!
interface Vlan10
no ip address
!
interface Vlan20
no ip address
!
interface Vlan30
no ip address
!
interface Vlan40
no ip address
!
interface Vlan50
no ip address
!
interface Vlan120
ip address 10.0.120.253 255.255.255.0
!
interface Vlan121
no ip address
!
ip default-gateway 10.0.120.254
ip route 0.0.0.0 0.0.0.0 10.0.120.254
no ip http server
!
line con 0
stopbits 1
line vty 0 4
!
end
_________________
I have removed some interfaces, as there aint any config on them.
Solved! Go to Solution.
ā08-07-2012 04:28 AM
You would need to configure NAT exemption as follows:
nat (VLAN10,VLAN20) source static obj-vlan10 obj-vlan10 destination static obj-vlan20 obj-vlan20
nat (VLAN10,VLAN30) source static obj-vlan10 obj-vlan10 destination static obj-vlan30 obj-vlan30
nat (VLAN10,VLAN40) source static obj-vlan10 obj-vlan10 destination static obj-vlan40 obj-vlan40
nat (VLAN10,VLAN50) source static obj-vlan10 obj-vlan10 destination static obj-vlan50 obj-vlan50
nat (VLAN10,VLAN120) source static obj-vlan10 obj-vlan10 destination static obj-vlan120 obj-vlan120
nat (VLAN10,VLAN21) source static obj-vlan10 obj-vlan10 destination static obj-vlan121 obj-vlan121
nat (VLAN30,VLAN20) source static obj-vlan30 obj-vlan30 destination static obj-vlan20 obj-vlan20
nat (VLAN30,VLAN40) source static obj-vlan30 obj-vlan30 destination static obj-vlan40 obj-vlan40
nat (VLAN30,VLAN50) source static obj-vlan30 obj-vlan30 destination static obj-vlan50 obj-vlan50
nat (VLAN30,VLAN120) source static obj-vlan30 obj-vlan30 destination static obj-vlan120 obj-vlan120
nat (VLAN30,VLAN121) source static obj-vlan30 obj-vlan30 destination static obj-vlan121 obj-vlan121
nat (VLAN40,VLAN20) source static obj-vlan40 obj-vlan40 destination static obj-vlan20 obj-vlan20
nat (VLAN40,VLAN50) source static obj-vlan40 obj-vlan40 destination static obj-vlan50 obj-vlan50
nat (VLAN40,VLAN120) source static obj-vlan40 obj-vlan40 destination static obj-vlan120 obj-vlan120
nat (VLAN40,VLAN121) source static obj-vlan40 obj-vlan40 destination static obj-vlan121 obj-vlan121
nat (VLAN50,VLAN121) source static obj-vlan50 obj-vlan50 destination static obj-vlan20 obj-vlan20
nat (VLAN50,VLAN121) source static obj-vlan50 obj-vlan50 destination static obj-vlan120 obj-vlan120
nat (VLAN50,VLAN121) source static obj-vlan50 obj-vlan50 destination static obj-vlan121 obj-vlan121
nat (VLAN120,VLAN20) source static obj-vlan120 obj-vlan120 destination static obj-vlan20 obj-vlan20
nat (VLAN120,VLAN121) source static obj-vlan120 obj-vlan120 destination static obj-vlan121 obj-vlan121
nat (VLAN121,VLAN20) source static obj-vlan121 obj-vlan121 destination static obj-vlan20 obj-vlan20
ā08-07-2012 04:28 AM
You would need to configure NAT exemption as follows:
nat (VLAN10,VLAN20) source static obj-vlan10 obj-vlan10 destination static obj-vlan20 obj-vlan20
nat (VLAN10,VLAN30) source static obj-vlan10 obj-vlan10 destination static obj-vlan30 obj-vlan30
nat (VLAN10,VLAN40) source static obj-vlan10 obj-vlan10 destination static obj-vlan40 obj-vlan40
nat (VLAN10,VLAN50) source static obj-vlan10 obj-vlan10 destination static obj-vlan50 obj-vlan50
nat (VLAN10,VLAN120) source static obj-vlan10 obj-vlan10 destination static obj-vlan120 obj-vlan120
nat (VLAN10,VLAN21) source static obj-vlan10 obj-vlan10 destination static obj-vlan121 obj-vlan121
nat (VLAN30,VLAN20) source static obj-vlan30 obj-vlan30 destination static obj-vlan20 obj-vlan20
nat (VLAN30,VLAN40) source static obj-vlan30 obj-vlan30 destination static obj-vlan40 obj-vlan40
nat (VLAN30,VLAN50) source static obj-vlan30 obj-vlan30 destination static obj-vlan50 obj-vlan50
nat (VLAN30,VLAN120) source static obj-vlan30 obj-vlan30 destination static obj-vlan120 obj-vlan120
nat (VLAN30,VLAN121) source static obj-vlan30 obj-vlan30 destination static obj-vlan121 obj-vlan121
nat (VLAN40,VLAN20) source static obj-vlan40 obj-vlan40 destination static obj-vlan20 obj-vlan20
nat (VLAN40,VLAN50) source static obj-vlan40 obj-vlan40 destination static obj-vlan50 obj-vlan50
nat (VLAN40,VLAN120) source static obj-vlan40 obj-vlan40 destination static obj-vlan120 obj-vlan120
nat (VLAN40,VLAN121) source static obj-vlan40 obj-vlan40 destination static obj-vlan121 obj-vlan121
nat (VLAN50,VLAN121) source static obj-vlan50 obj-vlan50 destination static obj-vlan20 obj-vlan20
nat (VLAN50,VLAN121) source static obj-vlan50 obj-vlan50 destination static obj-vlan120 obj-vlan120
nat (VLAN50,VLAN121) source static obj-vlan50 obj-vlan50 destination static obj-vlan121 obj-vlan121
nat (VLAN120,VLAN20) source static obj-vlan120 obj-vlan120 destination static obj-vlan20 obj-vlan20
nat (VLAN120,VLAN121) source static obj-vlan120 obj-vlan120 destination static obj-vlan121 obj-vlan121
nat (VLAN121,VLAN20) source static obj-vlan121 obj-vlan121 destination static obj-vlan20 obj-vlan20
ā08-07-2012 04:38 AM
In addition to the NAT exemption I don't see any L3-MPF in your config. There should be something like that:
policy-map global_policy
class inspection_default
...
inspect icmp !<---- This line is needed for pinging through the ASA
!
service-policy global_policy global
ā08-17-2012 01:25 AM
Hi,
Sorry for the late answer, got couth up with a few other problems.
Thanks Jennifer Halim, it that helped.. and i also got the anyconnect to work
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide