Re: VLAN traffic routing

cc3 · ‎03-17-2020

Hello, I have created a VLAN and I want limited traffic going between the VLAN and my inside interface. I have traffic moving from the VLAN to the 2 IPs on the inside. However I cannot access the VLAN from the inside interface. Here is my config. Can anyone help?

ASA Version 9.6(2)3
!
hostname HS-PRI-FW
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
ip local pool ANYCONNECT-POOL2 192.168.111.1-192.168.111.254 mask 255.255.255.0

!
interface GigabitEthernet1/1
description Inside Data Network
nameif inside
security-level 100
ip address 10.1.40.1 255.255.255.0
policy-route route-map PBR
!
interface GigabitEthernet1/2
description RingCentral
nameif voice
security-level 100
ip address 10.1.41.1 255.255.255.0
policy-route route-map PBR
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3.1
vlan 20
nameif Win7VLAN
security-level 75
ip address 10.1.42.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
description COMCAST-VOICE
nameif ISP-VOICE
security-level 0
ip address
!
interface GigabitEthernet1/8
description Connection to Comcast
nameif outside
security-level 0
ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa962-3-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
object network HS-DATA
subnet 10.1.40.0 255.255.255.0
object network HS-VOICE
subnet 10.1.41.0 255.255.255.0
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.100.0 255.255.255.0

object network obj-10.1.40.2
host 10.1.40.2
object network OBJ-ANYCONNECT-SUBNET2
subnet 192.168.111.0 255.255.255.0
object network hssrv02
host 10.1.40.6
object network hssrv022
host 10.1.40.6
object network hssrv021
host 10.1.40.6
object network hssrv023
host 10.1.40.6
object network hssrv024
host 10.1.40.6
object network hssrv025
host 10.1.40.6
object network hssrv020
host 10.1.40.6
object network Win7VLAN
subnet 10.1.42.0 255.255.255.0

port-object range 60000 64999
object-group network Voice-INT
description Internal Voice Network
network-object 10.1.41.0 255.255.255.0
object-group network Data-INT
description Internal Data Network
network-object 10.1.40.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list OUTSIDE_IN remark Allow SIP traffic from ring central
access-list OUTSIDE_IN extended permit object-group TCPUDP object-group Ring_Central_UDP object-group Voice-INT object-group Ring_Central_SVC_UDP
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.40.6 eq ftp
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.40.6 eq 35000
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.40.6 eq 35001
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.40.6 eq 35002
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.40.6 eq 35003
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.40.6 eq 35004
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.40.6 eq 35005
access-list SFR extended permit ip any any
access-list SPLIT-TUNNEL standard permit 10.1.40.0 255.255.255.0
access-list VOICE_IN remark Allow SIP traffic from ring central
access-list VOICE_IN extended permit object-group TCPUDP object-group Ring_Central_UDP object-group Voice-INT object-group Ring_Central_SVC_UDP
access-list DATA_ACL extended permit ip 10.1.40.0 255.255.255.0 any
access-list VOICE_ACL extended permit ip 10.1.41.0 255.255.255.0 any
access-list RingCentral extended permit udp 199.68.212.0 255.255.252.0 range 4000 65535 any
access-list SPLIT-TUNNEL2 standard permit host 10.1.40.7
access-list SPLIT-TUNNEL2 standard permit host 10.1.40.8
access-list SPLIT-TUNNEL2 standard permit host 10.1.40.9
access-list SPLIT-TUNNEL2 standard permit host 10.1.40.105
access-list Win7VLANAC_outbound extended permit ip 10.1.42.0 255.255.255.0 host 10.1.40.2
access-list Win7VLANAC_outbound extended permit ip 10.1.42.0 255.255.255.0 host 10.1.40.6
access-list Win7VLANAC_outbound extended permit tcp any any eq https
access-list Win7VLANAC_outbound extended permit tcp any any eq www
pager lines 24
mtu inside 1500
mtu voice 1500
mtu Win7VLAN 1500
mtu ISP-VOICE 1500
mtu outside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET2 OBJ-ANYCONNECT-SUBNET2 no-proxy-arp route-lookup
nat (inside,outside) source dynamic HS-DATA interface
nat (inside,ISP-VOICE) source dynamic HS-DATA interface
nat (voice,ISP-VOICE) source dynamic HS-VOICE interface
nat (voice,outside) source dynamic HS-VOICE interface
!
object network HS-DATA
nat (inside,outside) dynamic interface
object network HS-VOICE
nat (voice,ISP-VOICE) dynamic interface
object network obj-10.1.40.2
nat (inside,outside) static 50 service tcp 3389 3389
object network hssrv02
nat (inside,outside) static 50 service tcp ftp ftp
object network hssrv022
nat (inside,outside) static 50 service tcp 35005 35005
object network hssrv021
nat (inside,outside) static 50 service tcp 35001 35001
object network hssrv023
nat (inside,outside) static 50 service tcp 35002 35002
object network hssrv024
nat (inside,outside) static 50 service tcp 35003 35003
object network hssrv025
nat (inside,outside) static 50 service tcp 35004 35004
object network hssrv020
nat (inside,outside) static 50 service tcp 35000 35000
object network Win7VLAN
nat (Win7VLAN,outside) dynamic interface
access-group Win7VLANAC_outbound in interface Win7VLAN
access-group VOICE_IN in interface ISP-VOICE
access-group OUTSIDE_IN in interface outside
!
route-map PBR permit 10
match ip address DATA_ACL
set ip next-hop verify-availability 1 track 1
set ip next-hop verify-availability 2 track 2

!
route-map PBR permit 20
match ip address VOICE_ACL
set ip next-hop verify-availability 1 track 2
set ip next-hop verify-availability 2 track 1

!
route outside 0.0.0.0 0.0.0.0 50.254.35.6 1 track 1
route ISP-VOICE 0.0.0.0 0.0.0.0 50.240.169.14 254 track 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authorization exec LOCAL
http server enable 8443
http 10.1.40.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 ISP-VOICE
no snmp-server location
no snmp-server contact
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
frequency 10
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 4.2.2.2 interface ISP-VOICE
frequency 10
sla monitor schedule 2 life forever start-time now
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
telnet timeout 5

console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3000
dhcpd ping_timeout 20
!
dhcpd address 10.1.41.100-10.1.41.200 voice
dhcpd enable voice
!
dhcpd address 10.1.42.100-10.1.42.199 Win7VLAN
dhcpd enable Win7VLAN
!
priority-queue ISP-VOICE
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 139.78.97.128 prefer
!
class-map VOIP
match dscp ef
class-map SFR
match access-list SFR
class-map CLASS_QOS_VOICE
description matching voice packets for prioritization by the asa
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
class SFR
sfr fail-open
policy-map VOICE-PRIORITY
class CLASS_QOS_VOICE
priority
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
!
jumbo-frame reservation
!

: end

Marvin Rhoads · ‎03-18-2020

You have the following relevant configurtion bits:

interface GigabitEthernet1/1
description Inside Data Network
nameif inside
security-level 100
ip address 10.1.40.1 255.255.255.0
policy-route route-map PBR

interface GigabitEthernet1/3.1
vlan 20
nameif Win7VLAN
security-level 75
ip address 10.1.42.1 255.255.255.0

access-list Win7VLANAC_outbound extended permit ip 10.1.42.0 255.255.255.0 host 10.1.40.2
access-list Win7VLANAC_outbound extended permit ip 10.1.42.0 255.255.255.0 host 10.1.40.6
access-list Win7VLANAC_outbound extended permit tcp any any eq https
access-list Win7VLANAC_outbound extended permit tcp any any eq www
access-group Win7VLANAC_outbound in interface Win7VLAN

Do you want inside network hosts to access hosts on 10.1.42.0? And for hosts on 10.1.42.0 to be able to initiate traffic to any port on inside hosts 10.1.42.2 and .6 and also be able to initiate web traffic (tcp/80 and tcp/443) to any inside network host?

If so, that should work. You will not be able to reach the VLAN 20 interface ip 10.1.42.1 on the ASA from the inside network - that's by design on ASAs. You also need to ensure that your switch port where the ASA gi1/3 interface connects is configured as a trunk port that allows VLAN 20.