Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
0
Helpful
9
Replies

ASA Firewall Question

Iloveyou
Level 1
Level 1

‎10-15-2023 07:59 PM

The firewall is configured with sub interfaces on a single physical interface.

How do I enable inter vlan routing between them? (Prefer restrict to subnets)

Users cannot ping outside. How to solve? (Prefer restrict to subnets)

Labels:
0 Helpful
9 Replies 9

Blue_Bird
VIP
VIP

‎10-15-2023 08:35 PM - edited ‎10-15-2023 08:37 PM

Here is the sample configuration....

ASA Version 8.6(1)2
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 description ### To SW01 F0/1 Trunk ###
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.10
 vlan 10
 nameif CORP
 security-level 100
 ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet0/1.20   
 vlan 20
 nameif DMZ  
 security-level 50
 ip address 192.168.20.254 255.255.255.0         
!
interface GigabitEthernet0/2
 shutdown
 no nameif 
 no security-level    
 no ip address           
!

Best regards
******* If This Helps, Please Rate *******

0 Helpful

MHM Cisco World
VIP
VIP

‎10-15-2023 08:58 PM

How do I enable inter vlan routing between them? (Prefer restrict to subnets) dont need any config by default asa will do inter vlan between two subinterface immediately after give IP to it

Users cannot ping outside. How to solve? (Prefer restrict to subnets) 

You need 

Inspection icmp

NATing from both Inside subinterface into outside 

0 Helpful

Blue_Bird
VIP
VIP

‎10-15-2023 11:49 PM - edited ‎10-15-2023 11:50 PM

Here is the complete  sample configuration....The ip addressing scheme you can change according to your requirement...

ASA Version 8.4(2)
!
hostname Mario-Guitar-Shop-HQ
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 50.0.0.1 255.255.255.248
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.20.10.1 255.255.255.0
!
interface GigabitEthernet1.2
vlan 2
nameif vlan2
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet1.3
vlan 3
nameif vlan3
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet2
nameif wireless
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit intra-interface
pager lines 24
mtu outside 1500
mtu inside 1500
mtu vlan2 1500
mtu vlan3 1500
mtu wireless 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 7200
!
dhcpd address 10.20.10.11-10.20.10.100 inside
dhcpd dns 10.20.10.1 interface inside
dhcpd enable inside
!
dhcpd address 192.168.10.10-192.168.10.100 wireless
dhcpd dns 192.168.10.1 interface wireless
dhcpd enable wireless
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:2c391b206dfd8073446c7b05db3d6b73

Best regards
******* If This Helps, Please Rate *******

0 Helpful

Iloveyou
Level 1
Level 1
In response to Blue_Bird

‎10-16-2023 07:27 AM

Can you highlight which command is for the ping and which command is for the in ter vlan routing?

0 Helpful

Blue_Bird
VIP
VIP
In response to Iloveyou

‎10-16-2023 06:36 PM - edited ‎10-16-2023 06:37 PM

The primary interface should not have any IP addressing or name configured:

interface GigabitEthernet1
nameif inside
security-level 100
ip address x.x.x.x x.x.x.x

 

Now if you are going to use sub-interfaces you need a switch (with a trunk interface) or router (with the same sub interfaces) facing the firewall.

In order to make it work, you need to create ACLs on the firewall, example:

 

access-list VLAN-2-IN extended permit icmp any any echo

access-list VLAN-2-IN extended permit icmp any any echo-reply

access-list VLAN-2-IN extended permit ip any any

 

access-list VLAN-3-IN extended permit icmp any any echo

access-list VLAN-3-IN extended permit icmp any any echo-reply

access-list VLAN-3-IN extended permit ip any any

 

Then apply them to the access-group like we do on the routers.

 

access-group VLAN-2-IN in interface vlan2

access-group VLAN-3-IN in interface vlan3

 

Remember security level 100 is full protection so you need explicitly allow the access, in other words using ACLs.

Best regards
******* If This Helps, Please Rate *******

 

0 Helpful

Iloveyou
Level 1
Level 1
In response to Blue_Bird

‎10-16-2023 11:16 PM

I should make myself clear.

The sub interfaces are on the asa firewall itself. So what is the command?

0 Helpful

Iloveyou
Level 1
Level 1
In response to Blue_Bird

‎10-16-2023 11:17 PM

And which command for the intervkan routing 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Iloveyou

‎10-16-2023 11:35 PM

for inter vlan you dont need any command, only you must sure the subinterface is UP. 
for ping what is security level of both sub interface ?
if it same then as @paul driver mention you need 

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface
 and enable inspection icmp

if the secuirty level different then you need only

enable inspection icmp

0 Helpful

paul driver
VIP
VIP

‎10-16-2023 11:11 PM

Hello
Apply the following:
same-security-traffic permit inter-interface


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents