02-02-2012 01:12 PM - edited 03-07-2019 04:42 AM
I'm having an issue routing between vlans. I have vlan 1, and 2. I want to ping something on vlan 2, from vlan 1. I cannot ping from a computer on vlan 1 to a computer on vlan 2. I can ping each computer from the ASA 5505. I get an error on the ASA when I try to ping from the computers. The error is Failed to locate egress interface for UDP from voice:192.168.0.199/137 to 192.168.1.200/137. I can't understand why it even mentions IP 192.168.1.200/137... I reset the unit configuring it from scratch and still no go. I have no given a static route to the out yet.. I need to get inter-vlan routing working first.
Here is my ping from the router pinging computers on both sides...
asa5505(config)# ping 192.168.0.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.199, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
asa5505(config)# ping 192.168.10.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.199, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
asa5505(config)# ping 192.168.0.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.199, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
asa5505(config)# ping 192.168.10.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.199, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Below is my config
Result of the command: "show run"
: Saved
:
ASA Version 8.2(2)
!
hostname asa5505
domain-name domain.local
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.105 255.255.255.0
!
interface Vlan2
nameif voice
security-level 100
ip address 192.168.0.90 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address 74.95.178.221 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
icmp permit any voice
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (voice) 1 interface
nat (inside) 101 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:46c213dece9444eb2ac7fdec0c2348a0
: end
02-02-2012 02:51 PM
You are trying to pass traffic between same security interfaces (both sec level 100).
Try the global command:
same-security-traffic permit inter-interface
Your error is a red herring I believe, just some Netbios 'noise'
hth
Bikespace
02-02-2012 03:53 PM
Can you do a source ping and share the result?
Anton
Sent from Cisco Technical Support iPad App
02-02-2012 05:21 PM
@ integreon show ip route isn't a valid cmd in asa/pix os.
02-02-2012 06:20 PM
No Joe,
I'm talking about source ping. See below (try to ping the Vlan2 system IP from Vlan1 interface.
Firewall# ping
Interface: Vlan1
Target IP address: 109.168.0.199
02-03-2012 05:13 AM
Integreon, I'm not doing a source ping correct.. When I try, below is what I get.. I experimented but I'm not sure what to say for repeat, byte size, pattern, etc.
asa5505(config)# ping
Interface: vlan1
% Bad interface name
Not enough arguments.
Usage: ping [if_name]
[timeout
asa5505(config)# ping
Interface: vlan1
% Bad interface name
Not enough arguments.
Usage: ping [if_name]
[timeout
02-02-2012 05:18 PM
bikespace, I did what you asked, still no dice.. Below is my current config... I exempt the networks from NAT altogether, and just in case you are wondering yes it is a security plus model.
: Saved
:
ASA Version 8.2(2)
!
hostname asa5505
domain-name domain.local
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.105 255.255.255.0
!
interface Vlan2
nameif voice
security-level 100
ip address 192.168.0.90 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address IP REMOVED 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
icmp permit any voice
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.10.0 255.255.255.0
nat (voice) 0 access-list nonat
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
rd DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7e90697f4cd
43564ea930
e25078d9cf
6
: end
: Saved
:
ASA Version 8.2(2)
!
hostname asa5505
domain-name domain.local
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.105 255.255.255.0
!
interface Vlan2
nameif voice
security-level 100
ip address 192.168.0.90 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address IP REMOVED 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
icmp permit any voice
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.10.0 255.255.255.0
nat (voice) 0 access-list nonat
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
rd DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7e90697f4cd
43564ea930
e25078d9cf
6
: end
02-02-2012 06:42 PM
I think you need to create subinterfaces to provide interVlan communications, or configure ip addresses on the interfaces directly not vlan interface.
Hope this helps
Eugen
02-02-2012 07:46 PM
Hi,
Try to ping by adding 'inspect icmp' under class inspection_default.
If you still experience issues, enable 'debug icmp trace' on ASA and intiate ping from A-->B. Post the outputs.
hth
MS
02-03-2012 05:26 AM
@mvsheik123 I enabled debug but when doing ping or tracert I do not see any debug info in terminal or in the ASA traffic monitor.
@eugen barticel, you can't create subinterfaces on an ASA 5505. You create vlans and assign access to switch ports. I believe on the 5510 and higher sub-interfaces is possible/typical. On the 5505 router-on-a-stick is not possible. Eitherway if I did router-on-a-stick on the ASA I'd still be at an impass because I can't get whatever access or nat rules ironed out.
02-03-2012 05:56 AM
Simply add these commands and your vlans will be able to communicate with one another:
Int vlan2
security-level 99
!
Exit
!
static (inside,voice) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (voice,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
!
End
The vlan change is for voice to be able to use the outside interface to get out to the Internet. The other two statics are so each network can communicate with one another.
Sent from Cisco Technical Support iPhone App
02-03-2012 06:48 AM
@Mark Lange, I tried that, still no dice. Below is my current config..
Result of the command: "show run"
: Saved
:
ASA Version 8.2(2)
!
hostname asa5505
domain-name churchill.local
enable password 8FqdnUfqQih2Ylyn encrypted
passwd KlmFcak5WfQtJl2w encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.105 255.255.255.0
!
interface Vlan2
nameif voice
security-level 99
ip address 192.168.0.90 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address 74.95.178.221 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name churchill.local
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu voice 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any voice
icmp permit any echo-reply outside
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
static (inside,voice) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (voice,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:10233ade57c99bd6286acbcedb7269b9
: end
02-03-2012 12:42 PM
Ok, I got my issue resolved with Cisco TAC support's assistance.. It was NOT an issue with my config, it was an issue with my systems and their routing tables. After tracing back the issue there I was able to resolve the communication issue inter-vlan, and the egress error about the 192.168.1.X network.
The one issue I have left is I have is I need to route some traffic in one direction, and the other traffic to another..
To explain further I have the two networks listed as above. Those networks are 192.168.10.X and 192.168.0.X. The 10 network is the data, and the 0 is the voice. I set a route of last resort and the data network can get to the Internet. As Boilermaker85 pointed out, my voice network does NOT need to get to the Internet through the ASA.
However now that inter-vlan communication is working and connected routes will take precedence over static routes.. I need to route all traffic on the voice (192.168.0.X) network to 192.168.0.1.. I want to keep the ASA as the voice network's gateway rather than adding a route to the 192.168.10.X network on 192.168.0.1, which is actually proper... Can I do that on the ASA? I was told by Cisco, not to do it that way..
Belos is my routes on the ASA
Gateway of last resort is 10.1.10.1 to network 0.0.0.0
C 192.168.10.0 255.255.255.0 is directly connected, inside
C 10.1.10.0 255.255.255.0 is directly connected, outside
C 192.168.0.0 255.255.255.0 is directly connected, voice
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.10.1, outside
02-03-2012 06:01 PM
Good to hear that you main problem is fixed.
For the other about voice I think that asa will introduce latency for voice packets, it can be done but is lots of fine-tunning and changing some defaults.
Maybe this info will help
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_voicevideo.html
Eugen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide