Need some help with inter VLAN routing ( ASA 5506 & 3560CX )

blinkydamo · ‎11-02-2021

Hi all,

I am trying to build a new network at home based around a 5506-X and a 3560CX, I have got as far as allowing access for a device connected to the switch to the internet. The DHCP pools are on the ASA and are providing leases to clients on all VLANs, what I am trying to do is communicate between VLAN 10 and VLAN 30.

Could someone guide me in the direction to understand how to complete this, is the routing between the VLANs completed within the switch or the firewall? Is there anything standing out that really shouldn't be there, or really needs to be there that I am missing.

Cheers in advance.

5506-X Config:

interface GigabitEthernet1/8
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8.2
vlan 2
nameif inside_2
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet1/8.10
vlan 10
nameif inside_10
security-level 100
ip address 10.0.10.1 255.255.255.0
!
interface GigabitEthernet1/8.20
vlan 20
nameif inside_20
security-level 50
ip address 10.0.20.1 255.255.255.0
!
interface GigabitEthernet1/8.30
vlan 30
nameif inside_30
security-level 100
ip address 10.0.30.1 255.255.255.0
!
interface GigabitEthernet1/8.100
vlan 100
nameif BCU_OEAP
security-level 20
ip address 10.0.100.1 255.255.255.0
!
object network inside_10
subnet 10.0.10.0 255.255.255.0
description Trusted Subnet
object network inside_20
subnet 10.0.20.0 255.255.255.0
description Media Subnet
object network inside_30
subnet 10.0.30.0 255.255.255.0
description Servers Subnet
object-group network inside_1030
description Trusted and Servers Subnets
network-object object inside_10
network-object object inside_30
!
object network inside_10
nat (inside_10,outside) dynamic interface
object network inside_20
nat (inside_20,outside) dynamic interface
object network inside_30
nat (inside_30,outside) dynamic interface
!
dhcpd address 10.0.99.100-10.0.99.200 IoT
dhcpd dns 8.8.8.8 8.8.4.4 interface IoT
dhcpd option 3 ip 10.0.99.1 interface IoT
dhcpd enable IoT
!
dhcpd address 10.0.0.2-10.0.0.100 inside_2
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_2
dhcpd option 3 ip 10.0.0.1 interface inside_2
dhcpd enable inside_2
!
dhcpd address 10.0.10.100-10.0.10.200 inside_10
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_10
dhcpd option 3 ip 10.0.10.1 interface inside_10
dhcpd enable inside_10
!
dhcpd address 10.0.20.100-10.0.20.200 inside_20
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_20
dhcpd option 3 ip 10.0.20.1 interface inside_20
dhcpd enable inside_20
!
dhcpd address 10.0.30.100-10.0.30.200 inside_30
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_30
dhcpd option 3 ip 10.0.30.1 interface inside_30
dhcpd enable inside_30
!
dhcpd address 10.0.100.100-10.0.100.200 BCU_OEAP
dhcpd dns 8.8.8.8 8.8.4.4 interface BCU_OEAP
dhcpd option 3 ip 10.0.100.1 interface BCU_OEAP
dhcpd enable BCU_OEAP
!

3560CX Config:

hostname Cisco_3560CX
!
boot-start-marker
boot-end-marker
!
no aaa new-model
system mtu routing 1500
ip routing
!
object-group network servers
10.0.30.0 255.255.255.0
!
object-group network trusted
10.0.10.0 255.255.255.0
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/1
description Trusted VLAN
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/2
description Media VLAN
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/3
description Server VLAN
switchport access vlan 30
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/4
description OEAP
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/14
description Trunk to ASA
switchport trunk native vlan 2
switchport trunk allowed vlan 1,2,10,20,30,100
switchport mode trunk
no keepalive
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
description New Native VLAN
ip address 10.0.0.254 255.255.255.0
ip helper-address 10.0.0.1
!
interface Vlan10
description Trusted VLAN
ip address 10.0.10.254 255.255.255.0
ip access-group ACL_10_30 in
ip helper-address 10.0.10.1
!
interface Vlan20
description Media VLAN
ip address 10.0.20.254 255.255.255.0
ip helper-address 10.0.20.1
!
interface Vlan30
description Server VLAN
ip address 10.0.30.254 255.255.255.0
ip access-group ACL_30_10 in
ip helper-address 10.0.30.1
!
interface Vlan100
description BCU_OEAP VLAN
ip address 10.0.100.254 255.255.255.0
ip helper-address 10.0.100.1
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip route 10.0.10.0 255.255.255.0 10.0.10.1
ip route 10.0.30.0 255.255.255.0 10.0.30.1
!
ip access-list extended ACL_10_30
permit ip any any log
ip access-list extended ACL_30_10
permit ip any any log

Giuseppe Larosa · ‎11-02-2021

Hello @blinkydamo ,

the default gateway for each VLAN according to the DHCP pools are the ASA interfaces.

The ASA being a stateful firewall will not allow all communications between VLANs by default.

You have two options here:

a) change the DHCP pools configurations to provide a default gateway = switch SVI interface ip address

dhcpd option 3 ip 10.0.10.1 interface inside_10

you change it in :

dhcpd option 3 10.0.10.254 interface inside_10

and you do this for all VLANs

b) you define extended ACLs to be applied inbound on ASA interface.

access-list ACL_inside_10_in permit extended ip 10.0.10.0 255.255.255.0 10.0.0.0 255.255.0.0

please note : ACLs on ASA are different from ACLs on routers they do not use wildcard masks but subnet masks

access-group ACL_inside_10_in in inside_10

similarly for all other ACLs.

To be noted ASA uses the security level concept traffic from a more trusted interface ( higher security level) can go to a destination reachable out of a less trusted interface ( lower security level ) by default.

So without adding an ACL from inside_30 you can ping all the other VLAN subnets because it has the highest secuity level.

Hope to help

Giuseppe

Richard Burts · ‎11-03-2021

I agree with Giuseppe that is would be better to change DHCP pools to make the switch to be the default gateway for hosts in each vlan. There are several issues with having the ASA to do the inter vlan routing. Among the issues are that both vlan 10 and 30 have security level 100. Even with an ACL to permit the traffic the ASA, by default, will not allow traffic between interfaces with the same security level. You would need to add same-security inter-interface. You would be better off to do any inter vlan routing on the switch and only forward traffic to the ASA that is going outside.

You ask about commands that should not be there. I believe that these commands should not be used in the switch configuration:

1) ip route 10.0.10.0 255.255.255.0 10.0.10.1
ip route 10.0.30.0 255.255.255.0 10.0.30.1

subnets 10 and 30 are locally connected and do not need static routes.

2) You have helper-address configured on multiple vlan interfaces like this one

ip helper-address 10.0.0.1

In each case the helper address is in the local subnet. Any DHCP request is automatically forwarded within the local subnet. You only need helper address is the DHCP server is in a remote subnet.

HTH

Rick

blinkydamo · ‎11-07-2021

Thanks guys. Sorry for the late reply.

The info above was really helpful, I now have a functioning network.

paul driver · ‎11-07-2021

Hello

Just like to add you could allow vlan to vlan commuincation from the ASA by enabling instead

same-security-traffic permit intra-interface
same-security-traffic permit inter-interface

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎11-08-2021

Thanks for the update. Glad that you now have a functioning network.

HTH

Rick