05-22-2018 12:25 PM - edited 03-08-2019 03:06 PM
Hello,
I'm having trouble with a simple network on my ASA 5505
I have 2 VLANs: inside, outside
vlan1 has network 192.168.1.0 255.255.255.0
vlan2 has network 192.168.2.0 255.255.255.0
Gateway IP: 192.168.2.200
Interfaces are connected like:
Router -> VLAN vlan2 -> Firewall -> VLAN (vlan1, vlan2)
If I connect something to VLAN vlan2 it works, but if I connect to vlan1 it can't reach the vlan2 devices, but only the vlan1 devices.
I tried setting both to Security level 0, enabling the traffic on same security level and same interface.
I also tried to create a route from 192.168.1.0/24 to 192.168.2.200, but nothing.
How should I do ?
Maybe I'm misunderstaning how route works...
Doing a ping that is what I have:
6 May 22 2018 21:37:14 192.168.1.4 28322 192.168.2.202 0 Built inbound ICMP connection for faddr 192.168.1.4/28322 gaddr 192.168.2.202/0 laddr 192.168.2.202/0
05-22-2018 01:05 PM
Hi,
Did you add "same-security-traffic permit inter-interface" or "same-security-traffic permit intra-interface" when you check putting them at the same security level?
HTH,
Meheretab
05-22-2018 01:12 PM
05-22-2018 02:24 PM
Hello,
post the config of your ASA....you are probably missing something small...
05-22-2018 07:12 PM
Hi,
Did you try to establish any other traffic besides icmp, like telnet or ssh? icmp packets sometimes could be tricky to test connectivity through a firewall even with the features you have already tried.
By default ICMP is not monitored by the firewall, so even though icmp packets can traverse from inside to outside, but return traffic will be dropped at the outside interface. Without changing the default security levels, try allowing icmp at the outside interface, or you can simply enable telnet or ssh on the router and try accessing it from an inside host and for TCP to work, you don't need to create any ACLs since this is monitored and allowed by the firewall from a higher to lower security interface.
You can try debugging the router to make sure if the traffic sourced from inside is reaching it.
The other firewall utility I would suggest to use is packet tracer, below is syntax:
packet-tracer input inside tcp x.x.x.x 23456 x.x.x.x 22 (You should change inside with whatever name you are using for your source interface)
This would tell you if the traffic is allowed or not, and if not where it is getting blocked.
Hope this helps.
05-22-2018 11:33 PM
Hi,
For 2 VLANS to communicate with each other theres need to be a Router!
Does the FTD works in Routed mode or Transparent?
If its in routed mode you need to bridge these 2 Vlans.
Each Layer 3 routed interface (or subinterface) requires an IP address on a unique subnet. You would typically attach these interfaces to switches, a port on another router, or to an ISP/WAN gateway.
You can assign a static address, or you can obtain one from a DHCP server. However, if the DHCP server provides an address on the same subnet as a statically-defined interface on the device, the system will disable the DHCP interface. If an interface that uses DHCP to get an address stops passing traffic, check whether the address overlaps the subnet for another interface on the device.
A bridge group is a group of interfaces that the Firepower Threat Defense device bridges instead of routes. Bridged interfaces belong to a bridge group, and all interfaces are on the same network. The bridge group is represented by a Bridge Virtual Interface (BVI) that has an IP address on the bridge network.
You can route between routed interfaces and BVIs, if you name the BVI. In this case, the BVI acts as the gateway between member interfaces and routed interfaces. If you do not name the BVI, traffic on the bridge group member interfaces cannot leave the bridge group. Normally, you would name the interface so that you can route member interfaces to the Internet.
One use for a bridge group in routed mode is to use extra interfaces on the Firepower Threat Defense device instead of an external switch. You can attach endpoints directly to bridge group member interfaces. You can also attach switches to add more endpoints to the same network as the BVI.
You can configure both IPv6 and IPv4 addresses on a routed interface or BVI. Make sure you configure a default route for both IPv4 and IPv6. You do not configure addresses on bridge group member interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide