Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
235
Views
0
Helpful
1
Replies

Inter VLAN routing on an ASA5510

nova_itservicedesk
Level 1
Level 1

‎01-08-2016 07:24 AM - edited ‎03-12-2019 12:07 AM

Hello everyone, and thank you in advance for your help.  I am having an issue where we are migrating from an ASA 5505 to an ASA 5510 and the software versions are quite different as well so they handle VLANs differently.  

The 5505 (SW Version 8.0(3)) config had an inside and outside interface, in which the inside interface had no IP address, but had access to VLAN 1, 201-202, 204, 207.  The only VLAN with an assigned IP was VLAN1, the others do not have an assigned IP.  Communication between VLANs worked on this device.

On the 5510 (SW Version 8.2(1)) config, I duplicated the configuration from the 5505 as best as I could given the differences in software.  The only thing that would not translate easily was the VLAN configuration, since they are treated completely differently on this device/software version.  What I ended up doing is using eth0/1 to create subinterfaces for each vlan, so that part of the config looks like so:

interface Ethernet0/1
speed 100
duplex full
no nameif
security-level 100
no ip address
!
interface Ethernet0/1.1
vlan 1
nameif inside
security-level 100
ip address 10.18.215.1 255.255.255.128
!
interface Ethernet0/1.201
vlan 201
nameif VLAN201
security-level 100
no ip address
!
interface Ethernet0/1.202
vlan 202
nameif VLAN202
security-level 100
no ip address
!
interface Ethernet0/1.204
vlan 204
nameif VLAN204
security-level 100
no ip address
!
interface Ethernet0/1.207
vlan 207
nameif VLAN207
security-level 100
no ip address

I also enabled traffic between two or more interfaces which are configured with the same security levels, and between two or more hosts connected to the same interface.  

I also setup all the appropriate NATs for the VLANs to communicate with each other and established routes that point exactly where the routes on the old 5505 asa were pointed and made sure that route was reachable from the device.  So in theory, it looks like I have all my ducks in a row.

My problem lies in the fact that I cannot communicate between vlans.  I test by plugging a laptop into a switch (properly configured with all VLANs et al....) and giving it an IP on the 204 VLAN, I cannot ping the device's IP on VLAN 1.  I try to do a packet capture on the ASA from VLAN 204 to VLAN 1 and it drops the packed at the implicit deny ACL on VLAN 204.  I'm at a loss here and was hoping someone could help me out.  I have attached my slightly redacted ASA 5510 configuration.  Thank you all in advance for your efforts!

Labels:
Preview file
8 KB
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎01-08-2016 09:42 AM

Duplicate thread, please post answers to -

https://supportforums.cisco.com/discussion/12744566/inter-vlan-routing-asa5510#comment-11056661

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card