Intervaln Routing On ASA 5505!!!!!!

abhishek.shah · ‎04-21-2011

Hi there,

I have Cisco ASA 5505 Firewall with security plus license. I want to Configure 3 different subnet for inside network 10.1.x.x, 10.2.x.x and 10.3.x.x

So any PC from 10.1.x.x should be able to ping 10.2.x.x So my question is that possible with ASA??

If yes than how can i configure on ASA 5505, as i know on 5510 we can configure sub interface and do intervlan routing.

Shrikant Sundaresh · ‎04-21-2011

Hi Abhishek,

As you are already aware, it is not possible to configure subinterfaces on the 5505.

However, I did notice that in the "show version" output of a 5505 running 8.4, there is a field called "Vlan trunking" which is disabled in the base license. Unfortunately I am unaware of a new license has been introduced in 8.4.

The advantage in the 5505 is that it has 8 ports already. So maybe you can have three wires from the switch to the ASA, one for each vlan, and can configure routing between these interfaces.

IF you give all interfaces same security level, then keep in mind the following:

1. You need to have same-security-traffic permit inter-interface

2. If NAT is configured for the VLANs to go out to the internet, then you will have to configure NAT exempt for the intervlan communication. Else it will drop the packet, as no matching global was found. (Alternately you can PAT intervlan traffic to the destination VLAN's interface).

Hope this helps.

-Shrikant

P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

abhishek.shah · ‎04-21-2011

Thanks for Reply,

I configure 3 VLANS for different network, and Configure each port as a trunk port. Below is the configuration

interface Vlan1
nameif inside
security-level 100
ip address 10.11.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.248
!
interface Vlan3
shutdown
nameif dmz
security-level 50
ip address 192.168.25.254 255.255.255.0
management-only
!
interface Vlan10
nameif LAB
security-level 100
ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,10
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

Do i missing something for inter vlan routing?? From firewall i am not able to ping any of my inside IP..

Shrikant Sundaresh · ‎04-21-2011

Hey Abhishek,

I have never experimented with trunk ports on 5505. But we can check for the usual things:

1. Check the routing table "show route"

2. Try pinging an SVI on the switch (if possible).

3. Run "debug icmp trace 255" and then try pinging one of the inside PCs. ("un all" to stop the debug)

4. Run a capture on the interface, to see if icmp request packet is even leaving the ASA.

5. Disable firewall on PC incase it is blocking Pings.

6. run wireshark on PC to check if it is getting icmp request.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

abhishek.shah · ‎04-24-2011

No worry,

I got it finally. I enable routing on ASA now my each VLAN can talk to each other.