11-02-2013 01:26 AM - edited 03-11-2019 07:59 PM
My problem is as follows
I got 2 ASA 5505 devices , and I would like to configure routing between them , I'm not sure if its possible due to the fact that ASAs are not routers.
on the first ASA I will configure Vlan 1 and Vlan 5 and on the second I will configure Vlan 1 and Vlan 6 , the two ASA are going to be connected using Vlan1, then for simplicity I will configure a routing protocol such as RIP .
my basic configuration as follows
asa1# int vlan 1
ip add 192.168.1.1 255.255.255.0
nameif vlan1
no sh
ex
int e0/0
sw access vlan 1
no sh
ex
int vlan 5
ip address 192.168.2.1 255.255.255.0
nameif vlan5
no sh
int e0/5
sw access vlan 5
no sh
ex
router rip
ver 2
net 192.168.1.0
net 192.168.2.0
ex
wr
on the second asa
asa2# int vlan 1
ip add 192.168.1.1 255.255.255.0
nameif vlan1
no sh
ex
int e0/0
sw access vlan 1
no sh
ex
int vlan 6
ip address 192.168.3.1 255.255.255.0
nameif vlan6
no sh
int e0/5
sw access vlan 6
no sh
ex
router rip
ver 2
net 192.168.1.0
net 192.168.3.0
ex
wr
next i connected two PCs , one to vlan 5 and another on Vlan6 , I configured them with the appropiate ip address and gate way
routing simply doesn't work, I belive that the problem is that my asa license doesn't support port trunk mode , or simply that asa arent routers
any feed back would be appreciated
11-02-2013 03:39 AM
You have the same IP on both ASAs on VLAN1, maybe that is just a typo. You need to security plus to do trunking but you are not doing that here. Have you verified connectivity between the ASAs?
Can the clients ping the GW? Can the ASAs ping each other? Do you seen any RIP routes on the ASAs?
Daniel Dib
CCIE #37149
11-02-2013 03:52 AM
Hi
the same ip on vlan 1 is just a typo , the ASAs can ping each other , RIP route exist , but when I try to use OSPF instead, OSPF is not shown in the routing table , the PCs can ping the gateway , trunking is not supported by the IOS , every time I try to set the e0/0 to trunk mode , the ASA writes trunking is not supported by your license
thanks for the fast reply
11-02-2013 06:58 AM
On each ASA, you have e0/0 configured in access mode.
int e0/0
sw access vlan 1
no sh
On ASA1, you have an interface for vlan1 and vlan5. On ASA2, you have an interface for vlan1 and vlan6.
No when you say that the ASA's can ping each other, I'm assuming this is going working when pinging to the vlan 1 interface with a ping souced from vlan 1?
Because you only have one physical port configured in an access port on each ASA, from the above configuration, and not a trunk, therefore you should only have traffic for VLAN1.
How many vlans need to have connectivity to this, and how many physical interfaces do you have on the ASA?
11-02-2013 07:50 AM
I'm doing this setup in a test enviroment only , I would like for vlan 5 to ping vlan 6 and vice versa , my main problem is that the IOS doesn't allow me to configure e0/0 as trunk , due to the license , so I'm trying to find another way to ping vlan 5 from vlan 6
thanks for the info
11-03-2013 01:10 AM
You could try to use packet tracer to see if it says that packet should be forwarded and also you could capture packets to see if packets from clients reach the other side. What are your security settings?
Daniel Dib
CCIE #37149
11-03-2013 11:20 PM
security levels on vlans are set to 0 and the firewall is set transparent
11-02-2013 08:08 AM
11-04-2013 12:35 AM
I would start by hardcoding the security-levels on the interfaces set VLANs 5 and 6 to 100 and VLAN 1 to 0.
Depending on the ASA version you are running you might need to add the no nat-control command to bypass the NAT requirement. If you are running a version that is 8.3 or higher then this is not needed. Even some minor versions in the 8.2 range don't need it.
You will also need to add access lists to the VLAN 1 interfaces on both ASAs that allow traffic to pass to your test PCs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide