Re: VLANs can't communicate with each other on ASA 5525-X

King_1988 · ‎03-05-2020

Hello all,

I have configured 3 separate vlans using sub-interface on ASA firewall with 3 different security levels. And configured trunk with a layer-2 switch allowing all vlans to that trunk port.

See the below information for your better understanding :

Vlan 2 - 192.168.2.0/24 (Sec level- 100)

Vlan 3 - 192.168.3.0 /24 (Sec level- 50)

Vlan 4 - 192.168.4.0 /24 (Sec level - 70)

From Firewall Side

interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.2
vlan 2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/0.3
vlan 3
nameif DMZ-1
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/0.4
vlan 4
nameif DMZ-2
security-level 70
ip address 192.168.4.1 255.255.255.0

!

object-group network inside
network-object 192.168.2.0 255.255.255.0
object-group network DMZ-1
network-object 192.168.3.0 255.255.255.0

object-group network DMZ-2
network-object 192.168.4.0 255.255.255.0

!

access-list all-allow extended permit ip any any

access-group all-allow global

!

Be mentioned that, when I configure my PC with access vlan 2 (sec level 100), I can ping the gateway (192.168.2.1) from my PC. But I can't ping the other two gateways. Higher Security level to Lower one should be reachable. Please suggest me what I can do to solve this issue.

Ricky Sandhu · ‎03-05-2020

I think by default ASA doesn't allow ICMP traffic. You may have to enable ICMP in the global inspection policy.

King_1988 · ‎03-05-2020

Hi Ricky,

ICMP Inspection was enabled globally. Is there any possibility of inter-vlan routing issue ?

policy-map global_policy
class inspection_default
inspect icmp

Marvin Rhoads · ‎03-05-2020

You cannot ping an ASA interface that's remote from the interface that your traffic ingresses on. That's by design and cannot be changed. Better to test with a host on one of the other subnets.