09-24-2013 06:42 AM - edited 03-11-2019 07:42 PM
Hi,
I've recently configured the ASA5512 v9.1 firewall inter-vlan routing, everything seems ok till I notice that one of segment (192.168.20.x) is able to ping the other two segments (192.168.11.x & 192.168.10.x) but not reverse way. Could anyone pls advise? Config is below...
ASA Version 9.1(1)
!
hostname 5515-ASA
names
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface Port-channel1.1
vlan 1
nameif USER
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Port-channel1.10
vlan 10
nameif VOICE
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Port-channel1.20
vlan 20
nameif VIDEO
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Port-channel1.30
vlan 30
nameif GUEST
security-level 0
ip address 192.168.30.1 255.255.255.0
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone SGT 8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network GUEST
subnet 192.168.30.0 255.255.255.0
object network USER
subnet 192.168.11.0 255.255.255.0
object network VIDEO
subnet 192.168.20.0 255.255.255.0
object network VOICE
subnet 192.168.10.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.10.10.0_25
subnet 10.10.10.0 255.255.255.128
object network CCTV
host 192.168.11.11
object network Server
host 192.168.11.10
access-list OUTSIDE_access_in extended permit ip any object CCTV
access-list OUTSIDE_access_in extended permit ip any object Server
access-list USER_access_in extended permit ip 192.168.11.0 255.255.255.0 any
access-list VIDEO_access_in extended permit ip 192.168.20.0 255.255.255.0 any
access-list VOICE_access_in extended permit ip 192.168.20.0 255.255.255.0 any
access-list GUEST_access_in extended permit ip any any
pager lines 24
logging asdm debugging
mtu OUTSIDE 1500
mtu management 1500
mtu USER 1500
mtu VOICE 1500
mtu VIDEO 1500
mtu GUEST 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (USER,OUTSIDE) source static USER USER destination static NETWORK_OBJ_10.10.10.0_25 NETWORK_OBJ_10.10.10.0_25 no-proxy-arp route-lookup
nat (VOICE,OUTSIDE) source static VOICE VOICE destination static NETWORK_OBJ_10.10.10.0_25 NETWORK_OBJ_10.10.10.0_25 no-proxy-arp route-lookup
nat (VIDEO,OUTSIDE) source static VIDEO VIDEO destination static NETWORK_OBJ_10.10.10.0_25 NETWORK_OBJ_10.10.10.0_25 no-proxy-arp route-lookup
!
object network GUEST
nat (GUEST,OUTSIDE) dynamic interface
object network USER
nat (USER,OUTSIDE) dynamic interface
object network VIDEO
nat (VIDEO,OUTSIDE) dynamic interface
object network VOICE
nat (VOICE,OUTSIDE) dynamic interface
object network CCTV
nat (any,any) static 27.54.44.147 net-to-net
object network Server
nat (any,any) static 27.54.44.148 net-to-net
access-group OUTSIDE_access_in in interface OUTSIDE
access-group USER_access_in in interface USER
access-group VOICE_access_in in interface VOICE
access-group VIDEO_access_in in interface VIDEO
access-group GUEST_access_in in interface GUEST
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
09-24-2013 08:31 AM
Hi,
After a very quick scan - your acl is wrong on the VOICE interface
access-list VOICE_access_in extended permit ip 192.168.20.0 255.255.255.0 any
should be
access-list VOICE_access_in extended permit ip 192.168.10.0 255.255.255.0 any
Test that and let me know. I will come take another butchers later - gotta run
Andy
09-24-2013 05:04 PM
Hi Wantser,
After the changes still the same I can't ping 192.168.20.x from any other subnet. But I can ping to other subnet through 192.168.20.x. Pls help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide