08-11-2018 06:31 PM - edited 02-21-2020 08:05 AM
I have an ASA 5520 that has 3 VLANs trunked to it using sub-interfaces. My management VLAN is the inside network. What I'm trying to do is allow all traffic from the inside network to the other two VLANs so I can manage devices on those VLANs from the inside (management) VLAN.
The network topology is a little bit weird, but let me try and describe it to you.
I have a Cisco C3560G that has the ports divided up into 3 VLANs, with g0/32 being a trunk to the ASA g0/1 interface:
kat#sh run int g0/32 Building configuration... Current configuration : 171 bytes ! interface GigabitEthernet0/32 description VLAN 10-12 to ASA g0/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 10-12 switchport mode trunk end kat#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/49, Gi0/50, Gi0/51, Gi0/52 10 internal active Gi0/1, Gi0/2, Gi0/3, Gi0/4, Gi0/5, Gi0/6 Gi0/7, Gi0/8, Gi0/9, Gi0/10, Gi0/11, Gi0/12 Gi0/13, Gi0/14, Gi0/15, Gi0/16, Gi0/41 Gi0/42, Gi0/43, Gi0/44, Gi0/45, Gi0/46 Gi0/47, Gi0/48 11 malware active Gi0/17, Gi0/18, Gi0/19, Gi0/20, Gi0/21 Gi0/22, Gi0/23, Gi0/24, Gi0/25, Gi0/26 Gi0/27, Gi0/28, Gi0/29, Gi0/30, Gi0/31 12 mining active Gi0/33, Gi0/34, Gi0/35, Gi0/36, Gi0/37 Gi0/38, Gi0/39, Gi0/40 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 0 0 10 enet 100010 1500 - - - - - 0 0 11 enet 100011 1500 - - - - - 0 0 12 enet 100012 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr 101003 1500 - - - - - 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0 Remote SPAN VLANs ------------------------------------------------------------------------------ Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------
The ASA used to be the primary gateway for all 3 VLANs, but now it's only the gateway using NAT for the inside network. The other two VLANs have their own gateways that run through a VPN tunnel.
VLAN 10: 10.0.10.0/24 -> 10.0.10.1 (ASA) VLAN 11: 10.0.11.0/24 -> 10.0.11.1 (pfSense firewall w/VPN tunnel) VLAN 12: 10.0.12.0/24 -> 10.0.12.1 (Linksys WRT3200 w/VPN tunnel)
My running config on the ASA 5520:
asa(config-subif)# show run : Saved : : Serial Number: JMX1321L13X : Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz : ASA Version 9.1(7)23 ! hostname asa domain-name int.redacted.com enable password aPm5byzadEJJiPH6 encrypted names ! interface GigabitEthernet0/0 description Verizon Fios uplink nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet0/1 no nameif no security-level no ip address ! interface GigabitEthernet0/1.10 description Internal/Management VLAN vlan 10 nameif inside security-level 100 ip address 10.0.10.1 255.255.255.0 ! interface GigabitEthernet0/1.11 description Malware VLAN vlan 11 nameif malware security-level 10 ip address 10.0.11.254 255.255.255.0 ! interface GigabitEthernet0/1.12 description Mining VLAN vlan 12 nameif mining security-level 90 ip address 10.0.12.2 255.255.255.0 ! interface GigabitEthernet0/2 no nameif security-level 0 no ip address ! interface GigabitEthernet0/3 no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! ftp mode passive dns domain-lookup inside dns domain-lookup mining dns server-group DefaultDNS name-server 8.8.8.8 name-server 8.8.4.4 domain-name int.redacted.com dns server-group inside name-server 8.8.8.8 name-server 8.8.4.4 domain-name int.redacted.com dns server-group malware name-server 8.8.8.8 name-server 8.8.4.4 domain-name mal.redacted.com dns server-group mining name-server 8.8.8.8 name-server 8.8.4.4 domain-name mine.redacted.com dns-group inside object network inside subnet 10.0.10.0 255.255.255.0 description Internal network object network malware subnet 10.0.11.0 255.255.255.0 description Malware network object network mining subnet 10.0.12.0 255.255.255.0 description Mining network object network revive-http host 10.0.12.254 object network revive-api host 10.0.12.254 access-list revive-acl extended permit ip any object revive-api access-list revive-acl extended permit ip any object revive-http pager lines 1024 logging asdm informational mtu outside 1500 mtu inside 1500 mtu malware 1500 mtu mining 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network inside nat (inside,outside) dynamic interface object network revive-http nat (mining,outside) static interface service tcp www 5500 object network revive-api nat (mining,outside) static interface service tcp 5555 5555 access-group revive-acl in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh 10.0.10.0 255.255.255.0 inside ssh timeout 5 ssh version 2 ssh cipher encryption all ssh cipher integrity all ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd dns 8.8.8.8 8.8.4.4 ! dhcpd address 10.0.10.100-10.0.10.225 inside dhcpd enable inside ! dhcpd address 10.0.11.100-10.0.11.225 malware ! dhcpd address 10.0.12.100-10.0.12.225 mining ! dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 128.138.141.172 username jfa password 8gOcVb0zTsNHS6Ne encrypted ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map expressvpn policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:1b76a58ca9515d95915376aa143d809f : end
From the ASA I can ping devices on any of the VLANs as expected. I know this is probably something super simple, but I'm pretty green.
So, in summary, VLAN 10 just needs to be able to access hosts on VLANs 11 & 12:
Yes: 10.0.10.0/24 -> 10.0.11.0/24 Yes: 10.0.10.0/24 -> 10.0.12.0/24 No: 10.0.11.0/24 -> 10.0.10.0/24 No: 10.0.11.0/24 -> 10.0.12.0/24 No: 10.0.12.0/24 -> 10.0.10.0/24 No: 10.0.12.0/24 -> 10.0.11.0/24
Thank you in advance for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide