Allow traffic between interfaces

itsupport · ‎08-13-2013

I have spent the last few hours reading different documents but I am still coming up empty handed.

I've got a ASA 5525, has a inside interface & sits at 10.33.1.1

I defined a logical interfaces with vlan tag 3364 -- sits at 10.33.64.1 (this will be for our wifi clients)

Both have security set to 100.

I set:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

However a client at 10.33.1.5 cannot ping 10.33.64.1 & vica versa.

I've tried access rules, NAT rules & messing with PAT settings but not sure what I'm missing.

I attached a sanitized config & removed stuff around our VPN tunnel & other authentication. Any help would be much appreciated

Reza Sharifi · ‎08-13-2013

Don't add IP to the main interface. Try both vlans using sub-interfaces

try this:

interface GigabitEthernet0/2
description Inside interface
nameif inside
no sh
!

interface GigabitEthernet0/2.100

vlan 100
nameif vlan100
security-level 100
ip address 10.33.64.1 255.255.255.0

interface GigabitEthernet0/2.200
vlan 200
nameif vlan200
security-level 100
ip address 10.33.1.1 255.255.255.0

and try pinging from one to the other.

HTH

itsupport · ‎08-13-2013

I did the following to make sure I don't accidently lock myself out...

interface GigabitEthernet0/2

description Inside interface

nameif inside

security-level 100

ip address 10.33.1.1 255.255.255.0

!

interface GigabitEthernet0/2.100

vlan 100

nameif vlan100

security-level 100

ip address 10.33.64.1 255.255.255.0

!

interface GigabitEthernet0/2.200

vlan 200

nameif vlan200

security-level 100

ip address 10.33.2.1 255.255.255.0

packet-tracer input vlan100 icmp 10.33.64.1 8 5 5 10.33.2.1 xml

....

drop

(no-route) No route to host

We never had any vlans defined beforehand on this firewall -- if I'm adding them now does it require that I now specify a vlan on every interface?

itsupport · ‎08-13-2013

It would just be helpful to still be able to use the native vlan because the switches underneath this ASA don't have switchport access vlan configured on any of their ports.

jawad-mukhtar · ‎08-13-2013

interface GigabitEthernet0/2

description Inside interface

nameif inside (not recomended for sub interfaces)

security-level 100 (not recomended for sub interfaces)

ip address 10.33.1.1 255.255.255.0 (not recomended for sub interfaces)

!

interface GigabitEthernet0/2.100

vlan 100

nameif vlan100

security-level 100

ip address 10.33.64.1 255.255.255.0

!

interface GigabitEthernet0/2.200

vlan 200

nameif vlan200

security-level 100

ip address 10.33.2.1 255.255.255.0

Also check

FW GigabitEthernet0/2 connected to switch must be in trunk allowed vlan 200, 100

Jawad

itsupport · ‎08-14-2013

Is there anyway to make one of the sub interfaces use the native vlan? I tried setting Vlan to 1 but it didn't work.

cadet alain · ‎08-15-2013

Hi,

on the ASA the native VLAN is taken care of on the main physical interface.

Regards

Alain

Don't forget to rate helpful posts.

Shahzad Ayub · ‎08-15-2013

Put the following command in router under the sub-interface you want to use native vlan.

#encapsulation dot1Q 1 native

On the switch, if you have a native VLAN other than VLAN1,configure the same
VLAN on the router to be the native VLAN,by using the above command.

itsupport · ‎08-15-2013

I was able to get this working the way I needed it to

interface GigabitEthernet0/2

description Inside interface

nameif inside

security-level 100

ip address 10.33.1.1 255.255.255.0

!

interface GigabitEthernet0/2.64

vlan 64

nameif WiFi

security-level 100

ip address 10.33.64.1 255.255.255.0

!

nat (inside,any) source static obj-10.33.1.0 obj-10.33.1.0 destination static obj-10.33.64.0 obj-10.33.64.0 no-proxy-arp

Thanks for the help