Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
937
Views
0
Helpful
2
Replies

Cisco ASA 9.1 inter-vlan routing

wayne loh
Level 1
Level 1

‎09-24-2013 06:42 AM - edited ‎03-11-2019 07:42 PM

Hi,

I've recently configured the ASA5512 v9.1 firewall inter-vlan routing, everything seems ok till I notice that one of segment (192.168.20.x) is able to ping the other two segments (192.168.11.x & 192.168.10.x) but not reverse way. Could anyone pls advise? Config is below...

ASA Version 9.1(1)

!

hostname 5515-ASA

names

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif OUTSIDE

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

channel-group 1 mode active

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

channel-group 1 mode active

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Port-channel1

no nameif

no security-level

no ip address

!

interface Port-channel1.1

vlan 1

nameif USER

security-level 100

ip address 192.168.11.1 255.255.255.0

!

interface Port-channel1.10

vlan 10

nameif VOICE

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Port-channel1.20

vlan 20

nameif VIDEO

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Port-channel1.30

vlan 30

nameif GUEST

security-level 0

ip address 192.168.30.1 255.255.255.0

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

clock timezone SGT 8

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network GUEST

subnet 192.168.30.0 255.255.255.0

object network USER

subnet 192.168.11.0 255.255.255.0

object network VIDEO

subnet 192.168.20.0 255.255.255.0

object network VOICE

subnet 192.168.10.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_10.10.10.0_25

subnet 10.10.10.0 255.255.255.128

object network CCTV

host 192.168.11.11

object network Server

host 192.168.11.10

access-list OUTSIDE_access_in extended permit ip any object CCTV

access-list OUTSIDE_access_in extended permit ip any object Server

access-list USER_access_in extended permit ip 192.168.11.0 255.255.255.0 any

access-list VIDEO_access_in extended permit ip 192.168.20.0 255.255.255.0 any

access-list VOICE_access_in extended permit ip 192.168.20.0 255.255.255.0 any

access-list GUEST_access_in extended permit ip any any

pager lines 24

logging asdm debugging

mtu OUTSIDE 1500

mtu management 1500

mtu USER 1500

mtu VOICE 1500

mtu VIDEO 1500

mtu GUEST 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (USER,OUTSIDE) source static USER USER destination static NETWORK_OBJ_10.10.10.0_25 NETWORK_OBJ_10.10.10.0_25 no-proxy-arp route-lookup

nat (VOICE,OUTSIDE) source static VOICE VOICE destination static NETWORK_OBJ_10.10.10.0_25 NETWORK_OBJ_10.10.10.0_25 no-proxy-arp route-lookup

nat (VIDEO,OUTSIDE) source static VIDEO VIDEO destination static NETWORK_OBJ_10.10.10.0_25 NETWORK_OBJ_10.10.10.0_25 no-proxy-arp route-lookup

!

object network GUEST

nat (GUEST,OUTSIDE) dynamic interface

object network USER

nat (USER,OUTSIDE) dynamic interface

object network VIDEO

nat (VIDEO,OUTSIDE) dynamic interface

object network VOICE

nat (VOICE,OUTSIDE) dynamic interface

object network CCTV

nat (any,any) static 27.54.44.147 net-to-net

object network Server

nat (any,any) static 27.54.44.148 net-to-net

access-group OUTSIDE_access_in in interface OUTSIDE

access-group USER_access_in in interface USER

access-group VOICE_access_in in interface VOICE

access-group VIDEO_access_in in interface VIDEO

access-group GUEST_access_in in interface GUEST

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

Labels:
0 Helpful
2 Replies 2

Wantser1981_2
Level 1
Level 1

‎09-24-2013 08:31 AM

Hi,

After a very quick scan -  your acl is wrong on the VOICE interface

access-list VOICE_access_in extended permit ip 192.168.20.0 255.255.255.0 any

should be

access-list VOICE_access_in extended permit ip 192.168.10.0 255.255.255.0 any

Test that and let me know. I will come take another butchers later - gotta run

Andy

0 Helpful

wayne loh
Level 1
Level 1
In response to Wantser1981_2

‎09-24-2013 05:04 PM

Hi Wantser,

After the changes still the same I can't ping 192.168.20.x from any other subnet. But I can ping to other subnet through 192.168.20.x. Pls help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card