Re: vlan en asa 5510

FRANCISCO IBARRA · ‎09-21-2011

I have the following problem: I'm programming an ASA 5510 which I have assigned a physical interface vlan, this device is a switch concectado and thence to a couple of more switches.

When you ping from a terminal equipment to the interface logic of the ASA in their respective vlan, there is connectivity. however when I ping in terminal equipment that are in different vlan no connection.

I can do. that I can check

Includes the configuration of the ASA:

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/1.100

description CONEXION VLAN1

vlan 100

nameif inside1

security-level 100

ip address 192.168.0.193 255.255.255.224

!

interface Ethernet0/1.200

description CONEXION VLAN2

vlan 200

nameif inside2

security-level 80

ip address 192.168.0.62 255.255.255.192

!

interface Ethernet0/1.300

description CONEXION VLAN3

vlan 300

nameif inside3

security-level 90

ip address 192.168.0.94 255.255.255.224

!

interface Ethernet0/1.400

description CONEXION VLAN4

vlan 400

nameif inside4

security-level 100

ip address 192.168.0.158 255.255.255.224

!

interface Ethernet0/1.500

description CONEXION VLAN5

vlan 500

nameif inside5

security-level 100

ip address 192.168.0.190 255.255.255.224

!

same-security-traffic permit inter-interface

thank for your help

Julio Carvajal · ‎09-21-2011

Hello Francisco,

First of all, have you configured the Inspect ICMP???

If not here are the commands:

policy-map global_policy

class inspection_default

Inpect ICMP

Now as I can see in your configuration, There are some Vlans with a lower security level than others, for those one you will need to create an ACL allowing the traffic to the Higher's security level interfaces.

You also will need to do an identity nat from the networks on the Higher security level to the lower security level, Here is how:

static(inside1,inside3) 192.168.0.193 192.168.0.193 netmask 255.255.255.224

access-list Inside3_any permit icmp any any

access-group Inside3_any in interface inside3

You will need to do the same for the interfaces on a lower security level or just make them all with the same security level (which is not the most secure option)

Afterwards run this packet tracer and posted the output you get with the updated configuration

packet-tracer input inside3 icmp permit 192.168.0.97 8 0 192.168.0.197

Please let me know if these works

Best Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

FRANCISCO IBARRA · ‎09-22-2011

apply the following command to check:

packet-tracer input inside2 icmp 192.168.0.65

But it did not work:

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.0.65 255.255.255.224 inside2

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside2

input-status: up

input-line-status: up

output-interface: inside2

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

The security level in all subinterfaces put it in 100.

what may be happening. I did everything you recommended.

thanks

Julio Carvajal · ‎09-22-2011

Hello Francisco,

In order to test this, can you post the new configuration and the output of this packet tracer:

packet-tracer input inside3 icmp 192.168.0.97 8 0 192.168.0.197, the packet tracer you generated is incomplete.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

FRANCISCO IBARRA · ‎09-22-2011

Thanks, my problem was solved with these instructions.

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Julio Carvajal · ‎09-22-2011

Good to know Francisco, Thougt you have the same-security-permit intra-interface, just to let you know it should work just with that one, because the networks with the same security level are behind the same interface.( Different sub-interface)

The inter-interface is used when there are different interfaces with the same security level.

Have a great day

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC