cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31668
Views
5
Helpful
18
Replies

Inter-VLAN routing on an ASA 5505 (9.1)

Austin Rivet
Level 1
Level 1

Hi,

I am trying to setup inter-VLAN routing on an ASA 5505 so that my Server VLAN can talk to my Data VLAN. Both VLANs/subnets will need to be able to reach the Internet (at least until I get VPNs working so that I can remote into my server VLAN, then I will close off Internet connectivity to the servers). Currently I have dynamic NAT setup from my data VLAN and Internet is coming through just fine.

Servers will be on VLAN 3 (subnet 10.0.1.0/24), and Data will be VLAN 11 (10.10.11.0/24). I would like the default gateway to be set as 10.0.1.2 for the Server VLAN since that is how it is statically configured on each of my servers.

What do I need to do to get my VLANs talking internally? Is it a matter of simply configuring SVI's for each VLAN, and then setting each SVI as the default gateway for that VLAN/subnet, or is it more involved than that?

I have experience configuring inter-VLAN routing on 3560 (switches), but am new to the ASA platform, so any help with this would be greatly appreciated.

Thanks!

Austin

18 Replies 18

Could you post the new config?  It is very possible that there is an issue with the hardware.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

Below is the new config. Note that I have changed NAT to use the default obj_any object to NAT the inside subnet. Also note that I haven't modified the ACL's in any way. I simply used the IPSEC Remote Access VPN Wizard to setup the VPN.

Later on I discovered that I was able to connect to my management host (10.0.1.1) over the VPN via VNC, but I could not ping to my mangement host. I could also see logs coming in saying that ICMP was being built and torn down from my VPN client to my management host. This led me to believe that packets were getting to the host, but not coming back from the host. After disabling the Windows 7 firewall and adding ICMP to the global policy I was able to get pings to my management host. I cannot believe I overlooked such a simple detail.

For anyone readin this that is experiencing issues pinging between VLANs or over a VPN, start simple; turn Windows firewall off and issue;

policy-map global_policy

class inspection_default

  inspect icmp


I am fairly certain that this was the problem all along when I was having touble pinging between VLANs.

Thanks so much for your help Marius!

ASA Version 9.1(2)

!

hostname cs-lan-fw

domain-name default.domain.invalid

enable password eDNDD7lBLzSPpYwe encrypted

passwd eDNDD7lBLzSPpYwe encrypted

names

ip local pool CS-Lans-RA 192.168.255.1-192.168.255.30 mask 255.255.255.224

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.1.2 255.255.255.0

!

interface Vlan2

description WAN (outside) interface

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 208.67.222.222

name-server 75.75.75.75

domain-name default.domain.invalid

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network VNC

host 10.0.1.1

description VNC Host (FW Monitor)

object service TCP_5900

service tcp source eq 5900

description Port for VNC

object network NETWORK_OBJ_10.0.1.0_24

subnet 10.0.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.255.0_27

subnet 192.168.255.0 255.255.255.224

object-group service Internet-udp udp

port-object eq domain

port-object eq ntp

object-group service Internet-tcp tcp

port-object eq www

port-object eq https

port-object eq domain

access-list INSIDE_INT remark -=[Allow outgoing TCP/UDP services from the Inside]=-

access-list INSIDE_INT extended permit udp 10.0.1.0 255.255.255.0 any object-group Internet-udp

access-list INSIDE_INT extended permit tcp 10.0.1.0 255.255.255.0 any object-group Internet-tcp

access-list OUTSIDE_INT extended permit tcp any host 10.0.1.1 eq 5900

access-list CS-Lans-RA_splitTunnelAcl standard permit 10.0.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static VNC interface service TCP_5900 TCP_5900

nat (inside,outside) source static NETWORK_OBJ_10.0.1.0_24 NETWORK_OBJ_10.0.1.0_24 destination static NETWORK_OBJ_192.168.255.0_27 NETWORK_OBJ_192.168.255.0_27 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

access-group INSIDE_INT in interface inside

access-group OUTSIDE_INT in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.0.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 10.0.1.0 255.255.255.0 inside

telnet timeout 60

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 10.0.1.50-10.0.1.100 inside

dhcpd dns 8.8.8.8 208.67.222.222 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy CS-Lans-RA internal

group-policy CS-Lans-RA attributes

dns-server value 8.8.8.8 208.67.222.222

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value CS-Lans-RA_splitTunnelAcl

default-domain value default.domain.invalid

username user password wwmM/Ms2vq88kRD4 encrypted privilege 15

tunnel-group CS-Lans-RA type remote-access

tunnel-group CS-Lans-RA general-attributes

address-pool CS-Lans-RA

default-group-policy CS-Lans-RA

tunnel-group CS-Lans-RA ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:85d0344b0f8d82b5eaa1a2f2d9cc1a57

: end

Yes, windows firewall can make it seem that things aren't working if you test using ping.

So, do you need still assistance with anything else?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

 

Hi All,

 

I have the same problem with ASA 5512x Version 9.1(2)

 

I can´t ping between vlans.

 

I have a switch connected to ASA (trunk link) and a PC connected to Switch in fa0/3 (vla 10), i need to ping to vlan 20 in ASA, but not works.

 

See the attach configuration.

 

Thanks.

 

Review Cisco Networking for a $25 gift card