VLANs Problem........

Imran Irshad · ‎05-14-2011

Dear Experts,

We have configured Cisco ASA 5520 in our network with CSC-SSM module.

We have configured VLANs on our network.

VLAN0 (default)

VLAN10

VLAN20

Question:

VLAN10 & VLAN20 can communicate with Default VLAN

I wanna block some proxy server addresses but after block proxies address

VLAN10 and VLAN20 are not communicating with Default VLAN.

When I remove,

access-group PROXY-DENY in interface inside10 (VLAN10)

access-group PROXY-DENY in interface inside20 (VLAN20)

Then both are working well.

Kindly view ASA config below,

access-list PROXY-DENY extended permit tcp any any

access-list PROXY-DENY extended permit udp any any

access-list PROXY-DENY extended deny tcp 192.168.10.0 255.255.255.0 host 202.XX

.XX.XX eq 8080

access-group PROXY-DENY in interface inside10

access-group PROXY-DENY in interface inside20

Regards,

IA

Allen P Chen · ‎05-14-2011

Hello,

Is the ASA is routed mode or transparent mode?

These access-lists are configured on the ASA?

access-list PROXY-DENY extended permit tcp any any

access-list PROXY-DENY extended permit udp any any

access-list PROXY-DENY extended deny tcp 192.168.10.0 255.255.255.0 host 202.XX.XX.XX eq 8080

access-group PROXY-DENY in interface inside10

access-group PROXY-DENY in interface inside20

What security level is assigned to interface inside10 and inside20? What are the IP addresses assigned to those interfaces?

What is the IP subnet assigned to the default vlan0? Behind which interface does vlan0 reside?

It seems like there is some confusion between VLANs (layer 2 concept on the switch) and layer 3 interfaces of the ASA...

Imran Irshad · ‎05-14-2011

Dear Allen

Yes I configured it on ASA 5520

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.0.8 255.255.255.0

GigabitEthernet0/1.20

vlan 20

nameif inside20

security-level 100

ip address 192.168.20.10 255.255.255.0

GigabitEthernet0/1.10

vlan 20

nameif inside20

security-level 100

ip address 192.168.10.10 255.255.255.0

After that We have Core Switch (3650)

Default VLAN

192.168.0.100/24

VLAN10

192.168.10.11/24

VLAN20

192.168.20.11/24

Allen P Chen · ‎05-16-2011

Hello,

Some thoughts:

GigabitEthernet0/1.20

vlan 20

nameif inside20

...

GigabitEthernet0/1.10

vlan 20

nameif inside20

--why are sub-interfaces gi0/1.20 and gi0/1.10 both assigned VLAN 20 and have the same name?

interface GigabitEthernet0/1

security-level 100

GigabitEthernet0/1.20

security-level 100

GigabitEthernet0/1.10

security-level 100

--since all three interfaces are assigned security level 100, is the command "same-security-traffic permit inter-interface" configured?

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1421315

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.0.8 255.255.255.0

--per the ASA configuration guide, if sub-interfaces are being used, it is recommended to not pass untagged packets through the physical interface.

Preventing untagged packets on the physical interface—If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1082576

GigabitEthernet0/1.20

vlan 20

nameif inside20

security-level 100

ip address 192.168.20.10 255.255.255.0

GigabitEthernet0/1.10

vlan 20

nameif inside20

security-level 100

ip address 192.168.10.10 255.255.255.0

access-list PROXY-DENY extended permit tcp any any

access-list PROXY-DENY extended permit udp any any

access-list PROXY-DENY extended deny tcp 192.168.10.0 255.255.255.0 host 202.XX.XX.XX eq 8080

access-group PROXY-DENY in interface inside10

access-group PROXY-DENY in interface inside20

--why is access-list PROXY-DENY applied to both vlans 10 and 20? Traffic sourced from 192.168.10.0/24 should only arrive on gig01/.10 and will never arrive on gig0/1.20 right? Or is there some type of routing loop in your environment?