07-27-2010 08:09 AM - edited 03-11-2019 11:16 AM
Hi there,
I am a complete novice at networking, but I was tasked to have an ASA 5520 do inter VLAN routing (since my shop doesn't have a layer 3 router).
As a basic setup, I am trying to have three workstations on three different VLANs communicate with each other. The attached screenshot shows the topology.
I am unable to ping from a PC to the ASA...therefore I can't ping to other VLANs. Any assistance would be greatly appreciated.
ROUTER CONFIG:
ciscoasa#
ciscoasa# show run
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
domain-name null
enable password ###### encrypted
passwd ###### encrypted
names
dns-guard
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface GigabitEthernet0/1.10
vlan 10
nameif vlan10
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.20
vlan 20
nameif vlan20
security-level 100
ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet0/1.30
vlan 30
nameif vlan30
security-level 100
ip address 10.10.30.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name null
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu vlan10 1500
mtu vlan20 1500
mtu vlan30 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.5 inside
dhcpd enable inside
!
dhcpd address 10.10.10.101-10.10.10.253 vlan10
dhcpd enable vlan10
!
dhcpd address 10.10.20.101-10.10.20.253 vlan20
dhcpd enable vlan20
!
dhcpd address 10.10.30.101-10.10.30.253 vlan30
dhcpd enable vlan30
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4ad1bba72f1f51b2a47e8cacb9d3606a
: end
SWITCH CONFIG
Switch#show run
Building configuration...
Current configuration : 2543 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 1
!
vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet0/1
description Port Configured As Trunk
switchport trunk allowed vlan 1,10,20,30,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface GigabitEthernet0/29
!
interface GigabitEthernet0/30
!
interface GigabitEthernet0/31
!
interface GigabitEthernet0/32
!
interface GigabitEthernet0/33
!
interface GigabitEthernet0/34
!
interface GigabitEthernet0/35
!
interface GigabitEthernet0/36
!
interface GigabitEthernet0/37
!
interface GigabitEthernet0/38
!
interface GigabitEthernet0/39
!
interface GigabitEthernet0/40
!
interface GigabitEthernet0/41
!
interface GigabitEthernet0/42
!
interface GigabitEthernet0/43
!
interface GigabitEthernet0/44
!
interface GigabitEthernet0/45
!
interface GigabitEthernet0/46
!
interface GigabitEthernet0/47
!
interface GigabitEthernet0/48
!
interface Vlan1
ip address 10.10.1.2 255.255.255.0
no ip route-cache
!
interface Vlan10
no ip address
no ip route-cache
!
interface Vlan20
no ip address
no ip route-cache
!
interface Vlan30
no ip address
no ip route-cache
!
ip default-gateway 10.10.1.1
ip http server
ip http secure-server
!
control-plane
!
!
line con 0
line vty 5 15
!
end
Solved! Go to Solution.
08-31-2012 04:54 AM
HI,
I am trying to configure inter-vlan routing on ASA 5510 with 2960.but its not working.can anyone help me wit this.
Please find the below config:
Firewall ASA 5510:
sh run
: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/1
nameif vlan1
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/1.1
vlan 2
nameif vlan2
security-level 100
ip address 10.1.2.1 255.255.255.0
!
<--- More --->
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network vlan1
network-object 10.1.1.0 255.255.255.0
object-group network vlan2
network-object 10.1.2.0 255.255.255.0
<--- More --->
access-list vlan1 extended permit icmp any any
access-list vlan1 extended permit ip any any
access-list vlan2 extended permit icmp any any
access-list vlan2 extended permit ip any any
access-list outside extended permit icmp any any
pager lines 24
mtu outside 1500
mtu vlan1 1500
mtu vlan2 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
<--- More --->
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
<--- More --->
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
<--- More --->
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:52f97ea946ae6539626539485aa7493a
2960 Switch config:
sh run
Building configuration...
Current configuration : 3207 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
enable password password
!
!
!
no aaa new-model
!
!
!
!
--More-- crypto pki trustpoint TP-self-signed-3216298752
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3216298752
revocation-check none
rsakeypair TP-self-signed-3216298752
!
!
crypto pki certificate chain TP-self-signed-3216298752
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323136 32393837 3532301E 170D3933 30333031 30303031
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32313632
39383735 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C41D F4CC20D6 16C14D35 8FF8AF2D CB7E7C0D A29491DA 5482730D 65DBBE02
FE7C16D3 6D24FB70 40727A68 2DF92EFE 3AF26447 3709DBE7 EF94B099 D7410E3A
7063C7A1 071B39C9 D4900935 306C374F 9EE7A8E4 019C63FE 8DB31445 9CC4F75D
BC9A281A 393FE6DB 0F5BF397 4FEB9B97 65A2B627 BDD9E46B 4A0817D0 35B38DB8
B0150203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07537769 7463682E 301F0603 551D2304 18301680 14B2C440
43B407D0 4105B120 F2EADF80 A4E001A2 35301D06 03551D0E 04160414 B2C44043
B407D041 05B120F2 EADF80A4 E001A235 300D0609 2A864886 F70D0101 04050003
--More-- 818100AA A8E187B7 77B10879 8B105B2F 5370D0B0 78233E54 533DA505 20694301
C04D082E 07287DA7 C937B9C6 5360F92D 33C24B49 51179E2F 92435808 79147AA1
EDDDC80B 04DE9C52 8A720DA8 E3CD277F E0BF3B2C A0091995 013D769D 634FDEE6
E67CA6D1 A155C269 F43F4F74 682755BC 7ABC324F D850DB1C 67018B51 29B0327D 816B77
quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet0/1
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 2
switchport mode access
--More-- !
interface GigabitEthernet0/3
switchport mode trunk
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
--More-- !
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
--More-- interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface Vlan1
ip address 10.1.1.2 255.255.255.0
!
interface Vlan2
no ip address
!
ip default-gateway 10.1.1.1
ip http server
ip http secure-server
!
line con 0
line vty 0 4
password password
login
line vty 5 15
password password
login
!
end
--More--
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: