Solved: Inter-vlan routing on ASA5510

alexray92 · ‎01-04-2013

I would normally do this inside of the network on our switches, but we want to allow connections only from a specific ip to a specific ip on a specific port, so the only option was to do it in the ASA. I created a redundant interface on the ASA, and created two subinterfaces for two different vlans. I created an ACL to allow connections from one vlan to another, but it isn't routing traffic. Is there anything else I should look at? The two subinterfaces are both security level 100.

cadet alain · ‎01-04-2013

Hi,

you should permit traffic between same security level interfaces: same-security-traffic permit inter-interface in global config

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎01-04-2013

Hi,

I suppose you want to exempt traffic between inside and servicebureau to be exempted?

if so why this?

nat (outside) 0 192.168.0.0 255.255.255.0

could you try this instead

nat (inside) 0 192.168.0.0 255.255.255.0

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎01-04-2013

Hi,

you should permit traffic between same security level interfaces: same-security-traffic permit inter-interface in global config

Regards.

Alain

Don't forget to rate helpful posts.

alexray92 · ‎01-04-2013

I tried that as well as intra-interface. One thing I noticed is that if I try to connect to the IP on the other vlan, the logs say that the destination is on the "outside" interface, but the actual network is configured on the "ServiceBureau" interface.

cadet alain · ‎01-04-2013

Hi,

can you post the ASA config.

Regards.

Alain

Don't forget to rate helpful posts.

alexray92 · ‎01-04-2013

I have to exclude some information:

: Saved

:

ASA Version 8.2(5)

!

hostname esp-asa01

domain-name xxxxx

enable password xxxxx encrypted

passwd xxxx encrypted

...

!

interface Ethernet0/0

nameif outside

security-level 0

ip address ComcastInterface 255.255.255.240

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/3

description LAN/STATE Failover Interface

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 172.17.2.254 255.255.255.0

management-only

!

interface Redundant1

member-interface Ethernet0/2

member-interface Ethernet0/3

nameif redundant_trunk

security-level 100

no ip address

!

interface Redundant1.1

vlan 1

nameif inside

security-level 100

ip address 192.168.0.252 255.255.255.0

!

interface Redundant1.2

vlan 11

nameif ServiceBureau

security-level 100

no ip address

!

interface Redundant1.3

vlan 10

nameif comcast

security-level 0

no ip address

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name espsolution.net

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

...

logging enable

logging buffered informational

logging trap informational

logging asdm informational

mtu outside 1500

mtu redundant_trunk 1500

mtu ServiceBureau 1500

mtu management 1500

mtu inside 1500

mtu comcast 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 0 192.168.0.0 255.255.255.0

access-group outside_access_in in interface outside

access-group ServiceBureau_access_in in interface ServiceBureau

access-group inside_access_in_1 in interface inside

!

router ospf 1

router-id 192.168.0.254

network 192.168.0.0 255.255.255.0 area 0

area 0 authentication message-digest

log-adj-changes

default-information originate metric 100

!

route outside 0.0.0.0 0.0.0.0 173.160.185.30 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Radius protocol radius

aaa authentication ssh console Radius LOCAL

aaa authentication enable console Radius LOCAL

aaa authentication http console Radius LOCAL

aaa authentication serial console Radius LOCAL

aaa authentication telnet console Radius LOCAL

aaa authentication secure-http-client

http server enable

cadet alain · ‎01-04-2013

Hi,

I suppose you want to exempt traffic between inside and servicebureau to be exempted?

if so why this?

nat (outside) 0 192.168.0.0 255.255.255.0

could you try this instead

nat (inside) 0 192.168.0.0 255.255.255.0

Regards.

Alain

Don't forget to rate helpful posts.

alexray92 · ‎01-07-2013

I had a route set wrong on one of the boxes, which was the last problem. All in all, I had to do the following:

Set the security level of both interfaces to the same number
Create ACL for ServiceBureau (incoming), allowing access from the ServiceBureau subnet to the internal subnet
Create ACL for inside (incoming), allowing access from the internal subnet to the ServiceBureau subnet
Telnet to the ASA, and run "same-security-traffic permit inter-interface"
Add a route to the ServiceBureau box for inside, routing to the ServiceBureau interface of the ASA
Add a route to the inside box for ServiceBureau, routing to the inside interface of the ASA