ASA 5510, problems with ACL on VLAN

Answered Question
Apr 28th, 2010

Hi, thanks you in advance for your help

( sorry for the mistakes in he text)

I have a problem since 3 weeks with my FW ASA5510,

At the begining, i will have a network on one VLAN, the default VLAN, but for increase the broadband, i will make 2 VLANs.

( i have a Allied Telesyn 8326 switch)

I have configurated the firewall, the vlans have internet but it's impossible to communicate with others vlans ( i have kept the default vlan for my network, but i have seen that it's not good, i'm aright? )

I use ASDM and the integreted Packet tracer, and when i make a test of traffic, the paquets stop cause to the ACLs, but i have on all VLAN intefaces:

acces-list VLAN_X_access in extend permit ip any any   ( configuration "in" )

I don't know why the traffic is not forwarded. I have put a lower security-level(50) on the  VLAN interfaces.

What is the problem??

PS: for help himself i have seen this https://supportforums.cisco.com/message/3051647#3051647 , but anything works.

thanks again

I have this problem too.
0 votes
Correct Answer by astripat about 6 years 7 months ago

Hi,

It seems you want all the vlans to communicate with each other. So, I assume that you want the inside, VLAN_10 and VLAN_20 to communicate with each other. Follwoing are the commands required:

static (Inside,VLAN_10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,VLAN_20) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (VLAN_20,VLAN_10) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (VLAN_10,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

same-security-tarffic permit inter-interface

HTH

Regards,
Ashu

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Wed, 04/28/2010 - 04:26

Can you share the following configuration:

sh run int

sh run static

sh run nat

sh run global

And any access-list which is associated with the above NAT statement if any. Thanks.

AurelienRT Wed, 04/28/2010 - 05:15

TECNOASA5510# sh run int

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address X.X.X.117 255.255.255.248

ospf cost 10

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.2.120 255.255.255.0

ospf cost 10

!

interface Ethernet0/1.10

description VLAN_Reseau_Wifi

vlan 10

nameif VLAN_10

security-level 50

ip address 192.168.3.10 255.255.255.0

ospf cost 10

!

interface Ethernet0/1.20

vlan 20

nameif VLAN_20

security-level 50

ip address 192.168.4.10 255.255.255.0

ospf cost 10

!

interface Ethernet0/2

shutdown

nameif DMZ

security-level 50

ip address 10.0.10.20 255.255.255.0

ospf cost 10

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

management-only

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TECNOASA5510# sh run static
static (Inside,Outside) COURRIER.TECNOMA.COM SERVEUR2003 netmask 255.255.255.255

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TECNOASA5510# sh run nat
nat (Outside) 101 10.0.20.0 255.255.255.0
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (VLAN_10) 101 192.168.3.0 255.255.255.0
nat (VLAN_20) 101 192.168.4.0 255.255.255.0

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TECNOASA5510# sh run global
global (Outside) 101 interface

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TECNOASA5510# sh run access-list
access-list Outside_access_in extended permit tcp any host COURRIER.TECNOMA.COM object-group DM_INLINE_TCP_1
access-list Outside_access_in extended permit tcp SMTP-ORANGE 255.255.252.0 host COURRIER.TECNOMA.COM eq smtp
access-list Outside_access_in remark management port 25
access-list Outside_access_in extended permit tcp any any eq smtp
access-list VPNCLIENT_splitTunnelAcl standard permit any
access-list Inside_nat0_outbound extended permit ip any 10.0.20.0 255.255.255.192
access-list Inside_access_in remark management port 25
access-list Inside_access_in extended deny tcp any any eq smtp inactive
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit object-group TCPUDP any any inactive
access-list VLAN_10_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list VLAN_20_access_in extended permit ip 192.168.4.0 255.255.255.0 any
access-list out_access_in extended permit ip any 192.168.4.0 255.255.255.0

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TECNOASA5510# sh run access-group
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group VLAN_10_access_in in interface VLAN_10
access-group VLAN_20_access_in in interface VLAN_20

Jennifer Halim Wed, 04/28/2010 - 05:23

I assume that you would like to communicate between  VLAN_Reseau_Wifi and VLAN_20 interfaces?

If that is the case, then you would need to configure the following:

same-security-traffic permit inter-interface

static (VLAN_Reseau_Wifi,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

Hope that helps.

Correct Answer
astripat Wed, 04/28/2010 - 05:26

Hi,

It seems you want all the vlans to communicate with each other. So, I assume that you want the inside, VLAN_10 and VLAN_20 to communicate with each other. Follwoing are the commands required:

static (Inside,VLAN_10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,VLAN_20) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (VLAN_20,VLAN_10) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (VLAN_10,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

same-security-tarffic permit inter-interface

HTH

Regards,
Ashu

AurelienRT Wed, 04/28/2010 - 05:46

Thanks for your answers,

Just, VLAN 10 is for the wifi network, but it must be separate of the the others networks ( cause it's a free access point and i don't want that everyone can see the data who are on the private lan) that's why, for this VLAN, the problem is the solution ^^.

And  Inside is the VLAN1, and i just want  VLAN20 can communicate with Inside ( VLAN1).

I will try the configuration and i give you the result.

Jennifer Halim Wed, 04/28/2010 - 05:49

If you just want vlan 20 to communicate with inside, then here is the only static statement required:

static (inside,VLAN_20) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

AurelienRT Wed, 04/28/2010 - 06:08

i have enter all commands for make a test, but it's not working, it's impossible to ping the interface from VLAN_20 or an other

TECNOASA5510# sh run sta
static (Inside,Outside) COURRIER.TECNOMA.COM SERVEUR2003 netmask 255.255.255.255
static (Inside,VLAN_20) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,VLAN_10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (VLAN_20,VLAN_10) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (VLAN_10,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

Maybe it's a probleme with ACL or the Dynamic NAT ?

astripat Wed, 04/28/2010 - 06:17

Hi,

If you want only inside to communicate with VLAN_20, then do the following:

no static (Inside,VLAN_10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
no static (VLAN_20,VLAN_10) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
no static (VLAN_10,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

clear xlate

clear local

Try to ping after that, and if it still fails, send me the output of the following:

packet-tracer input Inside icmp 192.168.2.10 0 8 192.168.4.10 detailed

Regards,

Ashu

AurelienRT Wed, 04/28/2010 - 06:29

It work !!

thank you for your answers,

But it's really strange: i can ping a computer in an other VLAN or Inside, but i can't ping the interface, i can't connect to the router from a VLAN ...

astripat Wed, 04/28/2010 - 06:32

Hi,

Yes, thats by design. If you are sitting on inside then you can ping and access any other device sitting behind any other interface (for e.g VLAN_10). However, you CANNOT ping/telnet/ssh/asdm to the interface ip of VLAN_10 if you are coming from inside. That's by design.

HTH

Regrads,

Ashu

Actions

This Discussion