Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1264
Views
0
Helpful
4
Replies

Routing VLAN's internally on ASA 5510

Go to solution
psprscisco
Level 1
Level 1

‎01-15-2013 02:51 PM - edited ‎03-11-2019 05:47 PM

I am currently in pre-production on a firewall and running into some areas where the configuration is beyond my skill level.  We have 3 vlans (DATA, VoIP, ISCSI) and need to have the ability to go back and forth between these vlans freely.

Upon researching a bit I came up with the following configurations required in order to make this inter-vlan routing work (8.2 firmware on ASA 5510):

static (Inside,ISCSI) Inside-DATA Inside-ISCSI netmask 255.255.0.0

static (Inside,VOIP) Inside-DATA Inside-VoIP netmask 255.255.0.0

static (ISCSI,Inside) Inside-ISCSI Inside-DATA netmask 255.255.0.0

static (VOIP,Inside) Inside-VoIP Inside-DATA netmask 255.255.0.0

global (Outside) 1 interface

nat (Inside) 1 Inside-DATA 255.255.0.0

nat (VOIP) 1 Inside-VoIP 255.255.0.0

nat (ISCSI) 1 Inside-ISCSI 255.255.0.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Upon updating to 9.1, I was lucky enough to get a spat of these:

The following 'nat' command didn't have a matching 'global' rule on interface 'Inside' and was not migrated.

nat (Inside) 1 Inside-DATA 255.255.0.0

The following 'nat' command didn't have a matching 'global' rule on interface 'VOIP' and was not migrated.

nat (Inside) 1 Inside-DATA 255.255.0.0

The following 'nat' command didn't have a matching 'global' rule on interface 'ISCSI' and was not migrated.

nat (Inside) 1 Inside-DATA 255.255.0.0

The following 'nat' command didn't have a matching 'global' rule on interface 'Inside' and was not migrated.

nat (VOIP) 1 Inside-VoIP 255.255.0.0

The following 'nat' command didn't have a matching 'global' rule on interface 'VOIP' and was not migrated.

nat (VOIP) 1 Inside-VoIP 255.255.0.0

The following 'nat' command didn't have a matching 'global' rule on interface 'ISCSI' and was not migrated.

nat (VOIP) 1 Inside-VoIP 255.255.0.0

I do not know what it will take to get the inter-vlan routing working.  Attached is my config minus some of the confidential info.

Labels:
141491-Switch Configuration.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-15-2013 03:38 PM

You don't need to specify any NAT-rules if you don't need to nat.

So I would remove all nat-rules that don't have an (xxx, outside) in the rule. Without these rules you can route through your vlans. You still need ACLs on these interfaces to allow traffic.

And please don't attach your config as Word-file. A plain textfile is better to handle.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎01-15-2013 03:38 PM

You don't need to specify any NAT-rules if you don't need to nat.

So I would remove all nat-rules that don't have an (xxx, outside) in the rule. Without these rules you can route through your vlans. You still need ACLs on these interfaces to allow traffic.

And please don't attach your config as Word-file. A plain textfile is better to handle.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
psprscisco
Level 1
Level 1
In response to Karsten Iwen

‎01-16-2013 02:03 PM

I replaced the word document with an updated text document.  Removed the nat rules and put in ACLS:

object-group network AllVLANS

network-object Inside-ISCSI 255.255.0.0

network-object Inside-VoIP 255.255.0.0

access-list VOIP_access_in extended permit ip 10.5.0.0 255.255.0.0 10.8.0.0 255.255.0.0

access-list Inside_access_in extended permit ip object-group AllVLANS 10.5.0.0 255.255.0.0

access-list ISCSI_access_in extended permit ip 10.5.0.0 255.255.0.0 object Inside-ISCSI-01

So this along with same-security-traffic permit inter-interface should allow the "Inside 10.5.0.0" vlan to access the ISCSI and VOIP networks?

Thanks for the help, greatly appreciated by this cisco padawan. 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to psprscisco

‎01-16-2013 02:31 PM

I think you screwed up your ACLs ...

The source is the network that is sitting on a specific interface, the destinations are the other networks. With that you need the following ACLs:

access-list Inside_access_in extended permit ip 10.5.0.0 255.255.0.0   object-group AllVLANS

access-list VOIP_access_in   extended permit ip 10.8.0.0 255.255.0.0   10.5.0.0 255.255.0.0

access-list ISCSI_access_in  extended permit ip object Inside-ISCSI-01 10.5.0.0 255.255.0.0

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
psprscisco
Level 1
Level 1
In response to Karsten Iwen

‎01-16-2013 02:34 PM

Makes perfect sense.  Thanks for the help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card