ASA5505 LAN communication trouble

Unanswered Question
Sep 10th, 2009

Hello, I am the admin for a small company, we host about 20 servers for development and internal applications, and 4 servers for web hosting and external application hosting for clients. I started here two years ago and when I started we had one server and hardly any networking equipment at all. I was pretty new to Cisco and after talking to some reps they talked us in to getting an ASA5505 instead of a router. I have enjoyed learning about this device over the past year, but it's not exactly a perfect fit, I think what we really needed was a true router but I have made it work thus far. Since we have started growing and adding servers so quickly we have moved to a larger office, and now I have the task of splitting the network and organizing everything for further growth. I thought this would be a simple task but with the ASA I have not been able to get my networks to talk to each other correctly. What I want to do is pretty straight forward but I have no access to a true router, nor do I have any layer 3 swiches/managed switches, just plain ole dummy switches. Right now the ASA is handling all routing and VPN traffic and with out having to spend any money, I would like to split up my networks. I'm not very well versed in this area, I don't understand every aspect of subnetting but reading about it hasn't really helped me much either.

What I want to do is, with out using a VLAN, I have network which is working fine, is VPN and is also working fine, but I want to add and 3 4 and 5 and so on as I need them. I have been able to add these, and get everything to work, but for some reason I cannot access any of these networks from the network, which might not be a big deal until I start moving things around, then it's going to be a head ache. I am able to get on the internet with my test machines, I am able to access servers and other resources on the network from these, except my domain controller, I have not been able to get any machines to join the domain on yet. However I also cannot RDP to any server on the network from the It is resolving names from WINS, and things like that, but still a few things that I'm missing. I have attached my current config and will be working on this until I get it figured out, please any help you can give would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Fri, 09/11/2009 - 05:40

Your inside network according to the firewall config is or is it supposed to be /24?


All belong in the same subnet.

There is no need for routes and there is no need for static(inside,inside) either.

You will have one big flat layer 2 network.

You mention all the switches are just layer 2 switches if so, which device is

That device is supposed to do the routing.

The topology should look like this.



Inside networks1--Router--ASA--Internet



There is no need for the inside networks to come to the ASA to talk among themselves. The default route on the router should point to the ASA's inside interface IP address for all internet destined traffic.

maver1ck4000 Fri, 09/11/2009 - 07:13

The ASA isn't a true router, but it's all I've got since I was told it would work for us.

Inside Network2


Inside Network1--ASA--Internet


Inside Network3 is the VPN gateway I assume, VPN users are able to use everything like normal. They connect and are assigned a IP using DHCP.

Everything should be /24, I was messing around with some settings not sure if I changed that or not. I can try to remove all that stuff from the ASA but with all the traffic going through there, it seems like I need some kind of rules for it to route to the correct place. And how am I suppose to get up gateways addresses, it shouldn't be this hard.

Kureli Sankar Sun, 09/13/2009 - 04:34

Pls. refer this link below:

What license do you have?

You could configure vlans for each of your inside network.

You can configure them with same security level and allow communication with the same-security-traffic permit inter-interface command:

With this configuration each of the networks will point their respective vlan interface ip address configured on your 5505 for their gateway.

maver1ck4000 Mon, 09/14/2009 - 08:37

I see now, I knew there had to be a way. That got me a step closer I think, but I am still unable to communicate from to networks, I'm getting different errors depending on what I try. One is a portmap translation creation failed, then when I add NAT rules I still get a SYN timeout. If I add a dynamic rule I get a NAT error like nothing exists.

interface vlan 3

nameif servers

security-level 100

ip address

interface ethernet0/1

switchport trunk native vlan 1

switchport trunk allowed vlan 1,3

switchport mode trunk

I added this to my config, I have licenses for 8 Trunks, and 20 Vlans, and unlimited DMZ.

Kureli Sankar Mon, 09/14/2009 - 18:41

Make sure the hosts behind vlan1 can ping the vlan1 IP address on the ASA and the hosts behind vlan3 can ping the vlan3 interface ip address.

Then, try to ping vlan3 hosts from vlan1 hosts.

syntimeout means that the host on the other side is not responding or its response is not arriving on the host that sent the request.

At this point you need to start collecting captures on both the interfaces to see if the packets are ingressing and egressing the appropriate interfaces.

If you are running 7.2.4 and above code you can use the match command in the capture.

cap capin int inside match ip host 10.10.5.x any

cap capdmz int dmz match ip host

sh cap capin

sh cap capdmz

you can clear them by issuing

clear cap capin

clear cap capdmz

Do simple ping test before trying tcp flow. To make it simpler first try one interface at 100 level security and the other like 50 or 60.

Good luck.


This Discussion