Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
1
Helpful
6
Replies

Cisco ASA intervlan routing

veerapandiyanrengasamy
Level 1
Level 1

‎10-16-2023 01:20 PM

Hello Cisco community, 

Can i please have some ideas, how can i configure intervlan routing on cisco asa, i have shared my current config and diagram, 

what can i added to complete the config for all the vlan to communicate each other, Any help would be highly appreciated .

Best Regards,

Veera.cisco ASA for intervlan .png 

Cisco ASA:

ciscoasa(config)# sh run
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium II 1000 MHz
:
ASA Version 9.1(5)16
!
hostname ciscoasa

!
interface Ethernet0
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface Ethernet1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface Ethernet2
nameif outside
security-level 0
ip address 192.168.1.55 255.255.255.0

!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface Port-channel1.10
vlan 10
nameif vlan10
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Port-channel1.20
vlan 20
nameif vlan20
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Port-channel1.30
vlan 30
nameif vlan30
security-level 100
ip address 192.168.30.1 255.255.255.0
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network vlan10
subnet 192.168.10.0 255.255.255.0
object network vlan20
subnet 192.168.20.0 255.255.255.0
object network vlan30
subnet 192.168.30.0 255.255.255.0

!
object network vlan10
nat (vlan10,outside) dynamic interface
object network vlan20
nat (vlan20,outside) dynamic interface
object network vlan30
nat (vlan30,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

dhcpd address 192.168.10.5-192.168.10.100 vlan10
dhcpd dns 8.8.8.8 interface vlan10
dhcpd enable vlan10
!
dhcpd address 192.168.20.5-192.168.20.100 vlan20
dhcpd dns 8.8.8.8 interface vlan20
dhcpd enable vlan20
!
dhcpd address 192.168.30.5-192.168.30.100 vlan30
dhcpd dns 8.8.8.8 interface vlan30
dhcpd enable vlan30
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!

ciscoasa(config)#

0 Helpful
6 Replies 6

Marius Gunnerud
VIP
VIP

‎10-16-2023 03:12 PM

Are you able to ping the default gateway for each VLAN?  If yes, then I would suggest verifying the default gateway configuration on the endpoint you are testing between.

Your configuration should allow inter-VLAN traffic, if this is a virtual environment test lab, then the issue might be in the virtualization and you might need to rebuild the setup.

--
Please remember to select a correct answer and rate helpful posts

veerapandiyanrengasamy
Level 1
Level 1
In response to Marius Gunnerud

‎10-16-2023 03:18 PM

Hello @Marius Gunnerud ,

thanks for your reply, yes i can able to ping default gateway of the each vlan(10,20,30) and also i can get to internet from all vlan, But i cant ping from one vlan to other vlan 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to veerapandiyanrengasamy

‎10-16-2023 03:31 PM

did you provide the full configuration from the ASA or did you leave something out?  could you also provide the configuration of the switch?

Is this a virtual environment?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

veerapandiyanrengasamy
Level 1
Level 1
In response to Marius Gunnerud

‎10-18-2023 02:12 PM

Hello @Marius Gunnerud , Thanks for your input on this, Your help much appreciated.

I have provide all the ASA configuration above, 

this is switch configuration, by the way this is GNS3 lab 

IOU1#sh run
Building configuration...

Current configuration : 2242 bytes
!
! Last configuration change at 20:36:59 UTC Wed Oct 18 2023
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname IOU1
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
!
no aaa new-model
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
no ip domain-lookup
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface Ethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface Ethernet0/2
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface Ethernet0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast edge
!
interface Ethernet1/0
switchport access vlan 30
switchport mode access
spanning-tree portfast edge
!
interface Ethernet1/1
switchport access vlan 10
switchport mode access
spanning-tree portfast edge
!
interface Ethernet1/2
!
interface Ethernet1/3
!
interface Ethernet2/0
!
interface Ethernet2/1
!
interface Ethernet2/2
!
interface Ethernet2/3
!
interface Ethernet3/0
!
interface Ethernet3/1
!
interface Ethernet3/2
!
interface Ethernet3/3
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
!
!
router eigrp 1
network 0.0.0.0
!
ip forward-protocol nd
!
ip tcp synwait-time 5
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
!
end

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to veerapandiyanrengasamy

‎10-19-2023 01:04 AM

First off, remove the VLAN interfaces on the switch for VLAN 10, 20, 30 so to remove any possibility for the switch to do inter-VLAN routing, and make sure the client machines are configured with relevant firewall IP as default gateway.

If this does not solve the issue, then I suggest backup the configuration on both firewall and switch, delete them from GNS3 and then add them back.  I have experienced with GNS3 previously that the virtual emulation of the devices messes with switching of traffic.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

MHM Cisco World
VIP
VIP

‎10-19-2023 01:15 AM

Make sure that you use gw (IP of vlan of FW) in each host.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card