Solved: Re: Inter VLAN routing between two sub interfaces ASA 5506-x

Hoist Group · ‎11-18-2016

Hi Guys,

Im pretty new to Cisco and im setting up an ASA 5506-x for the first time.

I am not able to communicate between the sub interfaces on my ASA. Everything else is working fine.

I have 3 sub interfaces:

1.vlan 10 (10.0.10.1/24)

2.vlan 50 (10.0.50.1/24

3.vlan 99 (10.0.99.1/24)

I started like this;

1.wr

2.conf factory-default

Then i added my vlans and dhcp etc. Here is complete config:

Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
terminal width 350
hostname fw01
enable password N7FecZuSHJlVZC2P encrypted
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 191.151.150.178 255.255.255.224
!
interface GigabitEthernet1/2
nameif cisco-mgmt
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2.10
vlan 10
nameif adm
security-level 100
ip address 10.0.10.1 255.255.255.0
!
interface GigabitEthernet1/2.50
vlan 50
nameif guest
security-level 50
ip address 10.0.50.1 255.255.255.0
!
interface GigabitEthernet1/2.99
vlan 99
nameif mgmt
security-level 100
ip address 10.0.99.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu cisco-mgmt 1500
mtu mgmt 1500
mtu guest 1500
mtu adm 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 191.151.150.161 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 cisco-mgmt
http 10.0.99.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.99.0 255.255.255.0 mgmt
ssh timeout 5
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 cisco-mgmt
dhcpd enable cisco-mgmt
!
dhcpd address 10.0.99.100-10.0.99.200 mgmt
dhcpd dns 8.8.8.8 interface mgmt
dhcpd domain mgmt.local interface mgmt
dhcpd enable mgmt
!
dhcpd address 10.0.50.2-10.0.50.200 guest
dhcpd dns 8.8.8.8 interface guest
dhcpd domain guest.local interface guest
dhcpd enable guest
!
dhcpd address 10.0.10.12-10.0.10.200 adm
dhcpd dns 8.8.8.8 interface adm
dhcpd domain admin.local interface adm
dhcpd enable adm
!
dynamic-access-policy-record DfltAccessPolicy
username admin password ZtmwWxwfZJPPSOvr encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:63e65a7e865abf7d26504a4309f1fcbc
: end

Thanks!

Richard Burts · ‎11-18-2016

Actually the answer is that no you should not be able to ping the other vlan interfaces of the ASA. As part of its basic security policy the ASA does not allow ping from a device connected in one interface to the other interfaces of the ASA.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎11-18-2016

I do not see an obvious issue in the config that you posted. When I saw several interfaces at the same security level I wondered if that might be an issue but I see that you have both of the same-security-level commands. So that is not the issue. I wondered if it might be a NAT issue. But you are only doing NAT for traffic going through the outside interface. So that is not an issue.

Are devices in these subinterfaces able to access the Internet?

Would you post the output of show arp?

HTH

Rick

HTH

Rick

Hoist Group · ‎11-18-2016

Hi Rick,

Thanks for your answer.

I am able to reach the internet on the different sub interfaces yes.

Here is the output of show arp:

fw01(config)# show arp

mgmt 10.0.99.101 406c.8f51.edc2 387
mgmt 10.0.99.100 406c.8f51.edc2 8237
adm 10.0.10.12 406c.8f51.edc2 117

Richard Burts · ‎11-18-2016

Thanks for the additional information. It does verify that the interfaces and subinterfaces are working and that the default gateway of the hosts does get traffic to the ASA. And it does confirm that the ASA sees multiple devices in your network. But I notice something very strange that all of the devices inside the network seem to have exactly the same mac address of 406c.8f51.edc2. So perhaps we need to understand better what is connected to the ASA and to these devices.

HTH

Rick

HTH

Rick

Hoist Group · ‎11-18-2016

That Mac adress is my laptop. I have tried to connect to both adm and mgmt vlan

Richard Burts · ‎11-18-2016

Thanks for the clarification. If your laptop is the only device that the ASA sees do I assume that it is the only device active in the network? Or are there other devices that do not show up in the arp table?

If there is only a single device connected then communication between subinterfaces is not going to happen (who would it communicate with). If there are other devices but they do not show up in the arp table then we need to figure out what is causing this.

HTH

Rick

HTH

Rick

Hoist Group · ‎11-18-2016

Rick,

I agree on this, but shouldnt i be able to ping the other interfaces? From vlan 99 (10.0.99.1) i cannot ping vlan 10 (10.0.10.1) interface and vlan 50 (10.0.50.1) interface

Richard Burts · ‎11-18-2016

Actually the answer is that no you should not be able to ping the other vlan interfaces of the ASA. As part of its basic security policy the ASA does not allow ping from a device connected in one interface to the other interfaces of the ASA.

HTH

Rick

HTH

Rick

Hoist Group · ‎11-18-2016

Ah, i did not know this. Thanks for clearing this up Rick!

Just for curiosity, is it possible to enable this?

Richard Burts · ‎11-18-2016

As far as I know this policy can not be changed. I do not know of any config option that can change this behavior.

HTH

Rick

HTH

Rick

Hoist Group · ‎11-18-2016

Rick,

Thank you so much for your help!

Richard Burts · ‎11-18-2016

You are quite welcome. I am glad that you got it figured out. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions that have helpful information. These forums are excellent places to learn about networking. I hope to see you continue to be active in the forums.

HTH

Rick

HTH

Rick

walenteano · ‎10-02-2020

Hello Richard,

I really need your help on a certain configuration.

I tried deploying two FTD-2110 on my network.

After all configurations, workstation connected to vlan85 whose
gateway is patched on FTD_1 could not reach a workstation on vlan_10
whose gateway is patched on FTD_2.

Both FTD are connected directed via cable.

Kindly help if i'm missing something out.

Thanks