Solved: Re: Unable to communicate between vlans on ASA 5505 and Catalyst

remitprosupport · ‎10-29-2010

Hello all,

I have an ASA 5505 firewall connected by a trunk port to a Catalyst 2960. Vlans have been configured and assigned to interfaces on the firewall, and trunk ports configured on both the firewall and the switch. I believe it's configured correctly, because the switch sees the vlans I configured from the firewall.

I also have two windows computers, each connected to switchports confgured for two of the vlans. I can ping the gateway interface (the IP assigned to the vlan at the firewall) successfully from either host. These hosts are located on the soa net, as 192.168.150.100 on switchport 1 and it-dev net, as 192.168.200.100 on switchport 15. Both host's firewalls are turned off.

Thinking I'd configured everything correctly, I attempted to send pings from one host to another, expecting to see deny messages in the live log. Strangely, one of the hosts gets deny messages, and the other gets no deny and the connection shows as opened, but niether host received a reply. Same-security inter and infra-interface is enabled. Even when I create global ICMP rules on the firewall or create ICMP ACL's assigned to the destination interface, this behavior persists.

I also tried telnetting to port 445 from each host to the other, and the host that had it's ping connection opened was able to connect, and the other simply got deny messages.

With same-security inter-interface disabled, either host attempting to telnet to the other generates an "Inbound TCP connection denied..." message in the live log.

The questions I have are:

1. Is enabling same-security inter-interface supposed to be a blanket allow for inter-vlan communication when trunked like this is?

2. Why would one interface, when both interfaces are vlans assigned to the same physical interface and configured the same, be allowed to create connections on the firewall and another not?

3. Why when can I not get a reply back for the connections that are opened?

3. Why would ICMP rules still not allow the traffic through?

I've included the configs for the firewall and the switch. I would really appreciate any help, since I've been banging away at this for days and can't figure out what's wrong with this setup.

ASA Version 8.2(3)
!
hostname officefw1
enable password XXXX encrypted
passwd XXXX encrypted
names
dns-guard
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 50
!
interface Ethernet0/2
switchport trunk allowed vlan 100,125,150,200
switchport trunk native vlan 999
switchport mode trunk
!
interface Ethernet0/3
switchport access vlan 250
!
interface Ethernet0/4
switchport access vlan 251
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
shutdown
nameif inside
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan50
nameif dmz
security-level 10
ip address 192.158.50.1 255.255.255.0
!
interface Vlan100
nameif infrastructure
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan125
nameif voip
security-level 100
ip address 192.168.125.1 255.255.255.0
!
interface Vlan150
nameif soa
security-level 100
ip address 192.168.150.1 255.255.255.0
!
interface Vlan200
nameif it-dev
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Vlan250
nameif systems
security-level 100
ip address 192.168.250.1 255.255.255.0
!
interface Vlan251
nameif management
security-level 100
ip address 192.168.251.1 255.255.255.0
!
interface Vlan999
no nameif
no security-level
no ip address
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns domain-lookup management
dns domain-lookup systems
dns domain-lookup infrastructure
dns domain-lookup voip
dns domain-lookup soa
dns domain-lookup it-dev
dns server-group DefaultDNS
name-server 68.105.28.12
name-server 68.105.29.11
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service test445 tcp
port-object eq 445
access-list it-dev_access_in extended permit icmp any any inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu systems 1500
mtu dmz 1500
mtu infrastructure 1500
mtu voip 1500
mtu soa 1500
mtu it-dev 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group it-dev_access_in in interface it-dev
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.251.0 255.255.255.0 management
http 192.168.250.0 255.255.255.0 systems
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.250.0 255.255.255.0 systems
telnet timeout 5
ssh 192.168.250.0 255.255.255.0 systems
ssh timeout 5
console timeout 0
management-access management
dhcpd auto_config outside
!
dhcpd address 192.168.125.10-192.168.125.30 voip
dhcpd dns 68.15.28.11 68.105.29.12 interface voip
dhcpd enable voip
!
dhcpd address 192.168.150.10-192.168.150.30 soa
dhcpd dns 68.105.28.12 68.105.29.11 interface soa
dhcpd enable soa
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 198.123.30.132 source outside prefer
webvpn
anyconnect-essentials
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

version 12.2
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname officesw1
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXX
!
!
!
no aaa new-model
switch 1 provision ws-c2960s-24ts-l
authentication mac-move permit
ip subnet-zero
!
!
!
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
enrollment selfsigned
serial-number
revocation-check none
rsakeypair HTTPS_SS_CERT_KEYPAIR
!
!
crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR
certificate self-signed 01
<snipped for space>
quit
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
ip address 192.168.251.10 255.255.255.0
!
interface GigabitEthernet1/0/1
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/21
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
switchport trunk native vlan 999
switchport trunk allowed vlan 100,125,150,200
switchport mode trunk
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
no ip address
shutdown
!
interface Vlan150
no ip address
!
interface Vlan200
no ip address
!
no ip http server
ip http secure-server
ip sla enable reaction-alerts
!
!
line con 0
line vty 0 4
password 7 XXXX
login
line vty 5 15
password 7 XXXX
login
!
end

Collin Clark · ‎10-29-2010

remitprosupport wrote:

Collin,

After more carefully reading through the doc here:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1044006

Evidently you can't create subinterfaces on the FE ports on a 5505, only on ASA's with GB ports. So it appears I do have to create VLAN's and assign them to switch ports.

For your reply, I do have 4 vlans assigned to ethernet 0/2. Are you saying I must only have one vlan assigned to each interface? If that's the case, why would the ASA allow you assign multiple vlans to the same interface?

Thanks,

Dan

Forgot about that GB only, I don't work with 5505s too much, so I don't run into it. You must have only 1 VLAN assigned to a physical port and not trunk. I would assume it allows you to configure for feature parity between hardware platforms, just it doesn't work on the 5505.

View solution in original post

Collin Clark · ‎10-30-2010

Dan-

Using same-security isn't bad. If you set all the interfaces to the same security level, they can communicate without a NAT configuration. Access is still controlled through an ACL applied to the interface. If you prefer you could NAT the entire subnet or just the host or NAT 0 the subnets. All 3 accomplish the same thing, it's just a mattter of preference (again).

View solution in original post

Collin Clark · ‎10-29-2010

The ASA is configured a little different than other devices. Instead of trunking the VLANs to the ASA and then creating the VLAN interface, you trunk an interface and create sub-interfaces below it for each individual VLAN.

For example-

interface Ethernet0/2.100
nameif infrastructure
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2.125
nameif voip
security-level 100
ip address 192.168.125.1 255.255.255.0
!
interface Ethernet0/2.150
nameif soa
security-level 100
ip address 192.168.150.1 255.255.255.0
!
interface Ethernet0/2.200
nameif it-dev
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/2.250
nameif systems
security-level 100
ip address 192.168.250.1 255.255.255.0

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/intrface.html

Hope it helps.

remitprosupport · ‎10-29-2010

Collin,

So if I create the subinterfaces, where do I assign the vlans? Do they stay assigned to the parent interface, or assigned to individual sub-interfaces?

Thanks,

Dan

Collin Clark · ‎10-29-2010

The layer 2 vlan does not exist on the ASA only the layer 3 interface.

Collin Clark · ‎10-29-2010

It's just like a router on a stick if you're familiar with that.

remitprosupport · ‎10-29-2010

Collin,

Thanks for the replies. I'm familiar with the concept, but I'm confused by what Cisco's docs say about how to set up the ASA. We currently have PIX's, and they're pretty straight-forward, but Cisco's docs for the ASA said to create vlans at the firewall, and assign switchports to those vlans. I have to think there's some credence to that because I can ping the addresses assigned to the vlans at the firewall.

I'm also having trouble creating a subinterface on our 5505. I try the following command from config mode, and I get this:

officefw1(config)# interface ethernet 0/2.100
                             ^
ERROR: % Invalid input detected at '^' marker.

Thanks!

Dan

remitprosupport · ‎10-29-2010

Apologies in advance. The carat under the "e" in ethernet got moved by the forum's quote.

Thanks,

Dan

Collin Clark · ‎10-29-2010

With most things, there are more than one way to skin a cat. You can create a VLAN

then assign it to an interface.

Ethernet0/2

switchport access vlan 100

interface vlan 100

ip address 192.168.100.254 netmask 255.255.255.0

That does the same as the sub-interface. You don't trunk the physical port so you will use a physical port for each vlan! When you trunk, you ger the advantage of multiple VLANs on a single physical interface, but you lose the vlan interface configuration like above. Both work fine it's just a matter of ports (and preference).

remitprosupport · ‎10-29-2010

Collin,

Thanks again. I do appreciate the help, so please forgive me if I'm not understanding.

Your suggestion of

Ethernet0/2

switchport access vlan 100

interface vlan 10.

ip address 192.168.100.254 netmask 255.255.255.0

is exactly how I have my other "non-trunk" ports configured. For my trunk port, I have to allow 4 vlans to traverse the trunk to the switch.

So are you saying I need to take my trunk port out of trunk mode? If it helps, here's the config of the port, and a list of vlans and how they're assigned at the firewall:

interface Ethernet0/2
switchport trunk allowed vlan 100,125,150,200
switchport trunk native vlan 999
switchport mode trunk

VLAN Name                    Status      Ports
---- -------------------------------- ---------      -----------------------------
1    inside                        down      Et0/5, Et0/6, Et0/7
2    outside                      down      Et0/0
50   dmz                          down      Et0/1
100 infrastructure             up          Et0/2
125 voip                          up          Et0/2
150 soa                          up          Et0/2
200 it-dev                        up          Et0/2
250 systems                   down      Et0/3
251 management             up          Et0/4
999 -                               up          Et0/2

Thanks,

Dan

Collin Clark · ‎10-29-2010

I hope I can clarify this. Your current config (for your original post) you are trunking on a physical port. If you want to trunk the port, then you have to use the sub-interfaces. If you want to use VLAN interfaces, like in your original post, you will need to have one physical interface in each VLAN on your ASA.

1. Trunking Physical interfaces=sub-interface configuration

2. Access Physical interfaces=vlan interface configuration

You're trying to trunk physical and create vlan interfaces; first half of #1 and second half of the #2 equation. You must follow #1 or #2 completely.

Does that help or make it worse :-)

remitprosupport · ‎10-29-2010

Collin,

After more carefully reading through the doc here:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1044006

Evidently you can't create subinterfaces on the FE ports on a 5505, only on ASA's with GB ports. So it appears I do have to create VLAN's and assign them to switch ports.

For your reply, I do have 4 vlans assigned to ethernet 0/2. Are you saying I must only have one vlan assigned to each interface? If that's the case, why would the ASA allow you assign multiple vlans to the same interface?

Thanks,

Dan

Collin Clark · ‎10-29-2010

remitprosupport wrote:

Collin,

After more carefully reading through the doc here:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1044006

Evidently you can't create subinterfaces on the FE ports on a 5505, only on ASA's with GB ports. So it appears I do have to create VLAN's and assign them to switch ports.

For your reply, I do have 4 vlans assigned to ethernet 0/2. Are you saying I must only have one vlan assigned to each interface? If that's the case, why would the ASA allow you assign multiple vlans to the same interface?

Thanks,

Dan

Forgot about that GB only, I don't work with 5505s too much, so I don't run into it. You must have only 1 VLAN assigned to a physical port and not trunk. I would assume it allows you to configure for feature parity between hardware platforms, just it doesn't work on the 5505.

remitprosupport · ‎10-29-2010

Collin,

After yet more research, I've found that in order to allow inter-vlan communication I have to either NAT every service, or use same-security inter-interface. The downside to the latter is that all traffic is permitted. I've got more questions on that topic, but I'll post in another thread.

Thanks for your help.

Collin Clark · ‎10-30-2010

Dan-

Using same-security isn't bad. If you set all the interfaces to the same security level, they can communicate without a NAT configuration. Access is still controlled through an ACL applied to the interface. If you prefer you could NAT the entire subnet or just the host or NAT 0 the subnets. All 3 accomplish the same thing, it's just a mattter of preference (again).

remitprosupport · ‎10-30-2010

Collin,

I posted this question in the firewalling forum, but if you could give me your opinion as well I'd greately appreciate it. At this point I'm able to communication between vlans but can't seem to filter it using ACL's.

To test whether I'm doing this correctly, I created a service group on my firewall with all of the TCP/UDP ports necessary for Active Directory authentication (as I would need when this is in prod...). Then I created a rule allowing traffic using this service group from a vlan interface network named "soa" (192.168.150.0/24) to another named "infrastructure" (192.168.100.0/24).The only other inbound rule in place is the implicit deny there by default.

I then used the packet tracer, specifying "soa" as the source interface, a source address on the "soa" network, and the destination address on "infrastructure". The destination port is TCP 139, which is in the service group I created. This passes through the firewall just fine. I then use packet tracer to fire off another test, using the same interface, source and destination IP, and this time TCP port 22, which is _not_ in the service group, and it also passes. If I'm understanding this correctly, shouldn't the test for port 22 have been blocked? I'm also baffled by the output of packet tracer for these tests. When I click on the link that shows which rule allowed the traffic, it points to the implicit deny rule in place on the source (soa) interface. Why would an implicit deny _allow_ traffic through the firewall?

I'm providing an updated firewall config below. Please let me know if there's any more information you need from me.

Many thanks in advance,

Dan

ASA Version 8.2(3)
!
hostname officefw1
enable password XXXX encrypted
passwd XXXX encrypted
names
dns-guard
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 50
!
interface Ethernet0/2
switchport trunk allowed vlan 100,125,150,200
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/3
switchport access vlan 250
!
interface Ethernet0/4
switchport access vlan 251
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
shutdown
nameif inside
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan50
nameif dmz
security-level 10
ip address 192.158.50.1 255.255.255.0
!
interface Vlan100
nameif infrastructure
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan125
nameif voip
security-level 100
ip address 192.168.125.1 255.255.255.0
!
interface Vlan150
nameif soa
security-level 100
ip address 192.168.150.1 255.255.255.0
!
interface Vlan200
nameif itdev
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Vlan250
nameif systems
security-level 100
ip address 192.168.250.1 255.255.255.0
!
interface Vlan251
nameif management
security-level 100
ip address 192.168.251.1 255.255.255.0
!
interface Vlan999
no nameif
no security-level
no ip address
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns domain-lookup management
dns domain-lookup systems
dns domain-lookup infrastructure
dns domain-lookup voip
dns domain-lookup soa
dns server-group DefaultDNS
name-server 68.105.28.12
name-server 68.105.29.11
same-security-traffic permit inter-interface
object-group service WindowsShares
description Ports necessary to access Windows network shares.
service-object tcp range 135 netbios-ssn
service-object tcp eq 445
service-object udp range 135 139
service-object udp eq 445
object-group service ActiveDirectoryAuth
description Ports necessary for Active Directory authentication.
service-object tcp eq 1025
service-object tcp eq 1026
service-object tcp eq 135
service-object tcp eq 445
service-object tcp eq domain
service-object tcp eq ldap
service-object tcp eq netbios-ssn
service-object udp eq 88
service-object udp eq domain
service-object udp eq netbios-dgm
service-object udp eq netbios-ns
object-group service NetworkPrinting
description Ports necessary for network printing.
service-object tcp eq 9100
object-group network SOA_DHCP_Pool_Members
network-object host 192.168.150.10
network-object host 192.168.150.11
network-object host 192.168.150.12
network-object host 192.168.150.13
network-object host 192.168.150.14
network-object host 192.168.150.15
network-object host 192.168.150.16
network-object host 192.168.150.17
network-object host 192.168.150.18
network-object host 192.168.150.19
network-object host 192.168.150.20
network-object host 192.168.150.21
network-object host 192.168.150.22
network-object host 192.168.150.23
network-object host 192.168.150.24
network-object host 192.168.150.25
network-object host 192.168.150.26
network-object host 192.168.150.27
network-object host 192.168.150.28
network-object host 192.168.150.29
network-object host 192.168.150.30
access-list infrastructure_access_in remark Allow SOA network to auth to AD domain.
access-list infrastructure_access_in extended permit object-group ActiveDirectoryAuth 192.168.150.0 255.255.255.0 192.168.100.0 255.255.255.0 log notifications
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu systems 1500
mtu dmz 1500
mtu infrastructure 1500
mtu voip 1500
mtu soa 1500
mtu itdev 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group infrastructure_access_in in interface infrastructure
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.251.0 255.255.255.0 management
http 192.168.250.0 255.255.255.0 systems
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.250.0 255.255.255.0 systems
telnet timeout 5
ssh 192.168.250.0 255.255.255.0 systems
ssh timeout 5
console timeout 0
management-access management
dhcpd auto_config outside
!
dhcpd address 192.168.125.10-192.168.125.30 voip
dhcpd dns 68.15.28.11 68.105.29.12 interface voip
!
dhcpd address 192.168.150.10-192.168.150.30 soa
dhcpd dns 68.105.28.12 68.105.29.11 interface soa
dhcpd enable soa
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 198.123.30.132 source outside prefer
webvpn
anyconnect-essentials
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3960e4c529ccd86bddffb17268b7b370

Unable to communicate between vlans on ASA 5505 and Catalyst 2960