05-22-2008 03:23 PM - last edited on 03-25-2019 05:40 PM by ciscomoderator
Greetings, in response to a similar post im currently suffering from the above as depicted in the attached diagram and the config below.
Now im fully aware that Cisco suggest not using the ASA for inter vlan routing but traffic between subnets is minimal and i dont have access to a L3 switch.
As you can see when i try to move traffic between subnets which are all directly connected networks i receive the above message, all sub interfaces are configured on e0/1 which is connected to a trunk port on a 2960G.
I can ping devices on all subnets from the ASA and from the switch within my own vlan, im just baffled as to why when pointing my laptop at the ASA inside interface for the particular subnet it can find a destination for the packet.
Any help would be greatly appreciated.
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address ***.**.***.** 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
no ip address
!
interface Ethernet0/1.101
vlan 101
nameif access
security-level 100
ip address 172.29.255.1 255.255.255.0
!
interface Ethernet0/1.102
vlan 102
nameif voice
security-level 100
ip address 172.28.255.1 255.255.255.0
!
interface Ethernet0/1.103
vlan 103
nameif branch
security-level 100
ip address 172.27.255.1 255.255.255.0
!
interface Ethernet0/1.104
vlan 104
nameif remote
security-level 100
ip address 172.26.255.1 255.255.255.0
!
interface Ethernet0/1.998
vlan 998
nameif guest
security-level 25
ip address 172.30.255.1 255.255.255.0
!
interface Ethernet0/1.999
vlan 999
nameif mgmt
security-level 100
ip address 172.31.255.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
same-security-traffic permit inter-interface
Regards
Solved! Go to Solution.
05-22-2008 04:28 PM
Hi Mark,
By default in PIX and ASA firewalls, a command called nat-control is enabled, and not visible by default when you issue show run.
This command brings the obligation of defining NAT and global statements for each interface or subnet. This behaviour is unlike a router, and suprises Routing&Switching experts at first :)
Either issue no nat-control, or issue nat statements. Here is an example.
Lets say that your laptop is in VLAN 103 and want to reach VLAN 101. Then you need the following statement.
nat (branch) 1 0 0
global (access) 1 interface
This will make your laptop talk to access VLAN but source address is translated into 172.29.255.1 .
Or if you like, you can write exempt NAT rules either with NAT or static statements. Let me know how do you want your connectivity between VLANs.
A suggestion. Do not assign sec level of 100 to all interfaces, which means the most secure. You may have more important interfaces to secure from all these VLANs in future. For example make them all 80.
Regards
05-22-2008 04:52 PM
You are welcome Mark.
Now I will write some ways, choose whichever you want.
static (access,branch) 172.29.255.0 172.29.255.0 netmask 255.255.255.0
By above statement, any client in branch interface can directly connect a clients IP in 172.29.255.0/24
static (branch,access) 172.27.255.0 172.27.255.0 netmask 255.255.255.0
By above statement, any client in access interface can directly connect a clients IP in 172.27.255.0/24
If you to keep the source address the same between subnets for all interfaces, above method will be least preferred since you will have to type many static statements
here is another one
access-list exempt_nat0_outobund permit ip 172.27.255.0 255.255.255.0 172.28.255.0 255.255.255.0
access-list exempt_nat0_outobund permit ip 172.28.255.0 255.255.255.0 172.27.255.0 255.255.255.0
nat (access) 0 access-list exempt_nat0_outbound
nat (branch) 0 access-list exempt_nat0_outbound
Above also requires too much typing, maybe following works
access-list exempt_nat0_outbound permit ip 172.24.0.0 255.248.0.0 172.24.0.0 255.248.0.0
nat (access) 0 access-list exempt_nat0_outbound
nat (branch) 0 access-list exempt_nat0_outbound
nat (voice) 0 access-list exempt_nat0_outbound
nat (remote) 0 access-list exempt_nat0_outbound
Or you can simply let no nat-control issued as you mentioned. I just wanted you to inform how you can do this specifically
Regards
05-22-2008 04:28 PM
Hi Mark,
By default in PIX and ASA firewalls, a command called nat-control is enabled, and not visible by default when you issue show run.
This command brings the obligation of defining NAT and global statements for each interface or subnet. This behaviour is unlike a router, and suprises Routing&Switching experts at first :)
Either issue no nat-control, or issue nat statements. Here is an example.
Lets say that your laptop is in VLAN 103 and want to reach VLAN 101. Then you need the following statement.
nat (branch) 1 0 0
global (access) 1 interface
This will make your laptop talk to access VLAN but source address is translated into 172.29.255.1 .
Or if you like, you can write exempt NAT rules either with NAT or static statements. Let me know how do you want your connectivity between VLANs.
A suggestion. Do not assign sec level of 100 to all interfaces, which means the most secure. You may have more important interfaces to secure from all these VLANs in future. For example make them all 80.
Regards
05-22-2008 04:30 PM
That's brilliant, thank you very much!
I would prefer to keep the source address the same between subnets though, as such the exempt statements would be required but i think just turning of nat-control would solve my problems as the internal subnets are part of a demo suite im building.
Ill take your advice in regards to the interface security levels also
Regards
05-22-2008 04:52 PM
You are welcome Mark.
Now I will write some ways, choose whichever you want.
static (access,branch) 172.29.255.0 172.29.255.0 netmask 255.255.255.0
By above statement, any client in branch interface can directly connect a clients IP in 172.29.255.0/24
static (branch,access) 172.27.255.0 172.27.255.0 netmask 255.255.255.0
By above statement, any client in access interface can directly connect a clients IP in 172.27.255.0/24
If you to keep the source address the same between subnets for all interfaces, above method will be least preferred since you will have to type many static statements
here is another one
access-list exempt_nat0_outobund permit ip 172.27.255.0 255.255.255.0 172.28.255.0 255.255.255.0
access-list exempt_nat0_outobund permit ip 172.28.255.0 255.255.255.0 172.27.255.0 255.255.255.0
nat (access) 0 access-list exempt_nat0_outbound
nat (branch) 0 access-list exempt_nat0_outbound
Above also requires too much typing, maybe following works
access-list exempt_nat0_outbound permit ip 172.24.0.0 255.248.0.0 172.24.0.0 255.248.0.0
nat (access) 0 access-list exempt_nat0_outbound
nat (branch) 0 access-list exempt_nat0_outbound
nat (voice) 0 access-list exempt_nat0_outbound
nat (remote) 0 access-list exempt_nat0_outbound
Or you can simply let no nat-control issued as you mentioned. I just wanted you to inform how you can do this specifically
Regards
05-22-2008 05:21 PM
Im routinely impressed by the quality and depth of replies posted on these forums and this is up there with the best of them, consider this one saved for future reference.
Thank you once again
Regards
05-22-2008 05:31 PM
You are welcome :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: