Routing on two ASA 5505

nadertripoli · ‎11-02-2013

My problem is as follows

I got 2 ASA 5505 devices , and I would like to configure routing between them , I'm not sure if its possible due to the fact that ASAs are not routers.

on the first ASA I will configure Vlan 1 and Vlan 5 and on the second I will configure Vlan 1 and Vlan 6 , the two ASA are going to be connected using Vlan1, then for simplicity I will configure a routing protocol such as RIP .

my basic configuration as follows

asa1# int vlan 1

ip add 192.168.1.1 255.255.255.0

nameif vlan1

no sh

ex

int e0/0

sw access vlan 1

no sh

ex

int vlan 5

ip address 192.168.2.1 255.255.255.0

nameif vlan5

no sh

int e0/5

sw access vlan 5

no sh

ex

router rip

ver 2

net 192.168.1.0

net 192.168.2.0

ex

wr

on the second asa

asa2# int vlan 1

ip add 192.168.1.1 255.255.255.0

nameif vlan1

no sh

ex

int e0/0

sw access vlan 1

no sh

ex

int vlan 6

ip address 192.168.3.1 255.255.255.0

nameif vlan6

no sh

int e0/5

sw access vlan 6

no sh

ex

router rip

ver 2

net 192.168.1.0

net 192.168.3.0

ex

wr

next i connected two PCs , one to vlan 5 and another on Vlan6 , I configured them with the appropiate ip address and gate way

routing simply doesn't work, I belive that the problem is that my asa license doesn't support port trunk mode , or simply that asa arent routers

any feed back would be appreciated

daniel.dib · ‎11-02-2013

You have the same IP on both ASAs on VLAN1, maybe that is just a typo. You need to security plus to do trunking but you are not doing that here. Have you verified connectivity between the ASAs?

Can the clients ping the GW? Can the ASAs ping each other? Do you seen any RIP routes on the ASAs?

Daniel Dib
CCIE #37149

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

nadertripoli · ‎11-02-2013

Hi

the same ip on vlan 1 is just a typo , the ASAs can ping each other , RIP route exist , but when I try to use OSPF instead, OSPF is not shown in the routing table , the PCs can ping the gateway , trunking is not supported by the IOS , every time I try to set the e0/0 to trunk mode , the ASA writes trunking is not supported by your license

thanks for the fast reply

JohnTylerPearce · ‎11-02-2013

On each ASA, you have e0/0 configured in access mode.

int e0/0

sw access vlan 1

no sh

On ASA1, you have an interface for vlan1 and vlan5. On ASA2, you have an interface for vlan1 and vlan6.

No when you say that the ASA's can ping each other, I'm assuming this is going working when pinging to the vlan 1 interface with a ping souced from vlan 1?

Because you only have one physical port configured in an access port on each ASA, from the above configuration, and not a trunk, therefore you should only have traffic for VLAN1.

How many vlans need to have connectivity to this, and how many physical interfaces do you have on the ASA?

nadertripoli · ‎11-02-2013

I'm doing this setup in a test enviroment only , I would like for vlan 5 to ping vlan 6 and vice versa , my main problem is that the IOS doesn't allow me to configure e0/0 as trunk , due to the license , so I'm trying to find another way to ping vlan 5 from vlan 6

thanks for the info

daniel.dib · ‎11-03-2013

You could try to use packet tracer to see if it says that packet should be forwarded and also you could capture packets to see if packets from clients reach the other side. What are your security settings?

Daniel Dib
CCIE #37149

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

nadertripoli · ‎11-03-2013

security levels on vlans are set to 0 and the firewall is set transparent

paolo bevilacqua · ‎11-02-2013

Wrong forum, post in "Security - Firewalling". You can move your posting with the Actions panel on the right.

Marius Gunnerud · ‎11-04-2013

I would start by hardcoding the security-levels on the interfaces set VLANs 5 and 6 to 100 and VLAN 1 to 0.

Depending on the ASA version you are running you might need to add the no nat-control command to bypass the NAT requirement. If you are running a version that is 8.3 or higher then this is not needed. Even some minor versions in the 8.2 range don't need it.

You will also need to add access lists to the VLAN 1 interfaces on both ASAs that allow traffic to pass to your test PCs

--
Please remember to select a correct answer and rate helpful posts