Solved: Problem with VLANs and NAT

milan.markovic · ‎02-12-2009

I am using ASA5510 with outside interface connected to Internet over PPPoE, inside for HQ LAN and one more interface connected to remote office. Traffic to remote office should be tagged with certain VLAN tag. Remote location should access HQ LAN and also access Internet thrugh this ASA.

The current configuration allows both LANs (HQ and remote office) to access Internet over outside, but the traffic between LANs is not possible. At the moment the global command is executed, there is no traffic between HQ LAN (192.168.5.0) and remote LAN (192.168.10.0).

When I ping the remote LAN from the ASA, ping is working. If I make a ping but from inside interface, ping is not working. If I ping from remote LAN to tehc subinterface addresse 192.168.12.1, ping is working. It seems like NAT disabled the traffic between remote LAN and HQ LAN.

Any advice? I need ping working between remote LAN and HQ LAN, as well as other ip traffic.

Here is the configuration:

show run

: Saved

:

ASA Version 8.0(3)

!

hostname fwvodabd1

enable password ********* encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

pppoe client vpdn group pppoegrp

ip address pppoe setroute

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/2.1

vlan 3101

nameif tehc

security-level 100

ip address 192.168.12.1 255.255.255.252

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd ********* encrypted

ftp mode passive

same-security-traffic permit inter-interface

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu tehc 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.5.0 255.255.255.0

nat (tehc) 1 192.168.10.0 255.255.255.0

route tehc 192.168.10.0 255.255.255.0 192.168.12.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet 192.168.10.0 255.255.255.0 tehc

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group pppoegrp request dialout pppoe

vpdn group pppoegrp localname *********

vpdn group pppoegrp ppp authentication pap

vpdn username vodovodb1 password *********

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d60f6017f39aa6a81a30902aa39ed0e6

: end

fwvodabd1(config)#

Mo'ath Al Rawashdeh · ‎02-12-2009

Traffic from lower security level to higher security level is denied by default. What is needed in this case is an inbound access list on the tehc interface allowing this.

access-list tehc-inbound line 1 extended permit ip 192.168.10.0 255.255.255.0 any

access-group tehc-inbound in interface tehc

please rate once your issue is solved ;)

Cheers

View solution in original post

andrew.prince · ‎02-12-2009

Questions:-

1) What device is 192.168.12.2 1?

2) Is your layer 2 device configured with the correct vlans?

Mo'ath Al Rawashdeh · ‎02-12-2009

Hi milan,

You definitely need 3 things in order for this to work:

1- On the ASA, you need to exclude traffic between the HQ and the Remote office from NATing (NAT exclude also called NAT zero):

access-list inside-NAT-Exclude line 1 permit ip 192.168.5.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside-NAT-Exclude

2- Allow icmp echo and echo reply on the ACLs relying between the inside and tech interface.

3- a static route on the layer 3 device (192.168.12.2):

ip route 192.168.5.0 255.255.255.0 192.168.12.1

Hope this helps.

Cheers and good luck

milan.markovic · ‎02-12-2009

I tried what you suggested, but there is no traffic between inside and tehc interface.

The tehc interface is connected with one Sarian router, and remote LAN is at the other Sarian's router interface.

Without any nat and/or global command in ASA configuration, traffic (and ping) between local and remote LAN is going well, but none of the LAN can reach the Internet.

When I add nat/global commands, to allow Internet traffic, both LANs can reach internet over outside interface, but then there is no traffic inbetween local and remote LAN.

As I can debug traffic on remote Sarian router, I can see that I can ping 192.168.12.2 from ASA tehc interface, but cannot from ASA inside interface. At the moment when I ping from inside LAN, there is no traffic registered on remote Sarian router. It really seems that NAT excemption should help, but I tried with your suggestion and other similar possibilities, without any help. All the time, there is traffic to outside, but no intertraffic between inside LAN and LAN behind tehc interface.

Is there any debug method (seems that ASA does not support some NAT debugging technics that are present on Cisco routers)?

Mo'ath Al Rawashdeh · ‎02-12-2009

Can you decrease the security level (to 90 or less) for interface Ethernet0/2.1 and try NAT exclude?

milan.markovic · ‎02-12-2009

When I decreased sec level of tehc interface to 90, I was able to reach remote LAN from local (inside) LAN. Access from remote LAN to local LAN is not allowed (probably due to decreased sec level on tehc interface). Of course, all that together with nat exclude commands you suggested.

Any advice how to allow traffic from remote LAN to local LAN, not loosing the internet traffic from both LANs?

And some more help with icmp access-lists, to allow pinging between LANs.

Thanks anyway.

Mo'ath Al Rawashdeh · ‎02-12-2009

Traffic from lower security level to higher security level is denied by default. What is needed in this case is an inbound access list on the tehc interface allowing this.

access-list tehc-inbound line 1 extended permit ip 192.168.10.0 255.255.255.0 any

access-group tehc-inbound in interface tehc

please rate once your issue is solved ;)

Cheers

andrew.prince · ‎02-12-2009

Milan,

The ASA should just have a static route for 192.168.10.0/24 to the router interface connected to the 192.168.12.0/25 network.

The router should have a default route pointing to the ASA for all traffic NOT in it's local routing table, 192.168.12.0/24 & 192.168.10.0/24 will be connected - the router is the device that will route between the 2 subnets.

ALL machines on the 192.168.12.0/24 should have a default gateway of the router. ALL machines on the 192.166.10.0/24 should have a default gateway of the router.

Then you just configure the nat statements in the PIX so the internal subnets 192.168.12.0/24 & 192.168.10.0/24 can browse the internet.

The router should be used as the primary layer 3 device to route traffic between 192.168.12.0/24 <> 192.168.10.0/24

HTH>