Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
313
Views
0
Helpful
2
Replies

Getting vlans to communicate.

rpulido71
Level 1
Level 1

‎03-20-2015 10:56 AM - edited ‎03-11-2019 10:40 PM

First i would like to state that I have zero experience with the asa 5505 but I am a fast learner. We recently experienced a power surge that wiped our asa 5505 completely. We have since reloaded the software and created a fresh configuration file using a putty output file we had. the network consists of four vlans (vlan1 inside, vlan 2 outside, vlan 4 ATT, vlan 201 PLC). My issue is that vlan 4 and vlan 201 will not communicate with each other. I have used the packet-tracer command and it doesn't show a drop. I have also tried pinging from vlan 201 to vlan 4 and vice a versa. Any guidance would be much appreciated.

My running configuration is as follows:

sho run
: Saved
:
ASA Version 8.2(1)
!
hostname SCADAFirewall
domain-name scadanet.local
enable password 0s8uhgiYA16dXSsN encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 198.100.147.0 inside-network147
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 198.100.146.199 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 12.48.31.26 255.255.255.248
!
interface Vlan4
 nameif ATT
 security-level 10
 ip address 192.168.199.1 255.255.255.0
!
interface Vlan201
 nameif PLC
 security-level 50
 ip address 10.11.12.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
 no shutdown
!
interface Ethernet0/1
 no shutdown
!
interface Ethernet0/2
 switchport access vlan 4
 no shutdown
!
interface Ethernet0/3
 switchport access vlan 201
 no shutdown
!
interface Ethernet0/4
 no shutdown
!
interface Ethernet0/5
 no shutdown
!
interface Ethernet0/6
 no shutdown
!
interface Ethernet0/7
 switchport access vlan 3
 no shutdown
!
boot system disk0:/asa821-k8.bin
no ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 12.127.16.67
 domain-name scadanet.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip host 198.100.146.154 any
access-list inside_access_in extended permit ip host 198.100.146.177 any
access-list inside_access_in extended permit ip host 198.100.146.153 any
access-list inside_access_in remark Temp access list to allow for windows updates
access-list inside_access_in extended permit ip any any inactive
access-list ATT_access_out extended permit ip 10.11.12.0 255.255.255.0 any
access-list ATT_access_out extended permit icmp 10.11.12.0 255.255.255.0 any
access-list PLC_in extended permit ip any any
access-list PLC_in extended permit icmp any any
access-list att extended permit icmp any any
access-list plc extended permit icmp any any
access-list PLC_access_out extended permit icmp any any
access-list PLC_access_out extended permit ip any any
access-list ATT_access_in extended permit ip 192.168.201.0 255.255.255.0 any

access-list ATT_access_in extended permit icmp 192.168.201.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu ATT 1500
mtu PLC 1500
ip local pool WEBVPN 172.16.20.2-172.16.20.20 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 198.100.146.0 255.255.255.0
nat (inside) 1 inside-network147 255.255.255.0
access-group inside_access_in in interface inside
access-group ATT_access_in in interface ATT
access-group ATT_access_out out interface ATT
access-group PLC_in in interface PLC
access-group PLC_access_out out interface PLC
route outside 0.0.0.0 0.0.0.0 12.48.31.25 1
route ATT 192.168.0.0 255.255.255.0 192.168.199.2 1
route ATT 192.168.1.0 255.255.255.0 192.168.199.2 1
route ATT 192.168.201.0 255.255.255.0 192.168.199.2 1
route inside inside-network147 255.255.255.0 198.100.146.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  url-list value RemoteDesktop
  file-browsing disable
  file-entry disable
  http-proxy disable
  url-entry enable
  svc ask none default webvpn
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 198.100.146.154
 key RADIUSCLWA1
 radius-common-pw RADIUSCOMMON1
aaa-server RSA protocol sdi
 max-failed-attempts 5
aaa-server RSA (inside) host 198.100.146.154

http server enable
http 198.100.146.0 255.255.255.0 inside
http 192.100.146.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
no snmp-server enable
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 198.100.146.0 255.255.255.0 inside
telnet timeout 5
ssh 198.100.146.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
group-policy DfltGrpPolicy attributes
 webvpn
  url-list value RemoteDesktop
  file-entry disable
  file-browsing disable
  url-entry disable
group-policy WEBVPN internal
group-policy WEBVPN attributes
 vpn-tunnel-protocol webvpn
 webvpn
  url-list value RemoteDesktop
  hidden-shares none
  file-entry disable
  file-browsing disable
  url-entry disable
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool WEBVPN
 authentication-server-group RSA
 accounting-server-group RADIUS
 default-group-policy WEBVPN
!
!

Labels:
0 Helpful
2 Replies 2

Andre Neethling
Level 4
Level 4

‎03-23-2015 03:23 AM

What is your Source and destination ip you are using for your ping tests?

0 Helpful

Marius Gunnerud
VIP
VIP

‎03-23-2015 02:45 PM

Which license do you have for the ASA5505? Issue the show version command and you should see it towards the bottom of the output.  If the outage wiped your ASA completely then it might have also cleared the installed license.  You need a security plus license to be able to have more than 2 VLANs communicating with eachother.

--

Please remembner to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card