Intervlan routing on cisco asa 5510

Unanswered Question
Aug 9th, 2010
User Badges:

Hi All,


I doing a lab with a ASA 5510 with a 2590 switch and I would like see a simple code example doing intervaln routing cisco asa 5510.

Now in my lab isn´t not working. Do it have some secret ??



Antonio

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Nagaraja Thanthry Mon, 08/09/2010 - 06:07
User Badges:
  • Cisco Employee,

Hello,


If you are trying inter-vlan routing, then make sure that both

sub-interfaces have a nameif and security level set to same value.


int eth 0/0.1

nameif inside1

security-level 100

exit


int eth 0/0.2

nameif inside2

security-level 100

exit


Then also make sure that NAT is turned off.


no nat-control


Finally, configure rule to allow communication between two interfaces with

same security level.


same-security-traffic permit inter-interface


Also, make sure that the hosts in different vlans have their respective

gateways set to firewalls respective sub-interface IP.


Hope this helps.


Regards,


NT

Antonio Brandao Mon, 08/09/2010 - 09:09
User Badges:

Hi Nagaraja,


I did try it, but still not working, see below my actual conf.

One question, if disable my nat with no nat-control command, will I be able to do nat ?



fwljlpenglda1# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname fwljlpenglda1
domain-name default.domain.invalid
enable password fcAtuJXQCdxxcGDJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.501
description outside_internet
vlan 501
nameif outside_1
security-level 0
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/0.502
description outside_dmz
vlan 502    
nameif outside_2
security-level 0
ip address 10.1.2.2 255.255.255.0
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.10
description users_lan
vlan 10
nameif inside_1
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1.20
description serv_farm
vlan 20
nameif inside_2
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/1.40
description telephony
vlan 40
nameif inside_3
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/1.50
description guest_lan
vlan 50
nameif inside_4
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
description dmz
shutdown
nameif dmz
security-level 50
ip address 192.168.30.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list lan10 extended permit ip any any
access-list lan20 extended permit ip any any
pager lines 24
logging asdm informational
mtu outside_1 1500
mtu outside_2 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu dmz 1500
mtu management 1500
icmp permit any echo outside_1
icmp permit any echo-reply outside_1
icmp permit any echo inside_1
icmp permit any echo-reply inside_1
icmp permit any echo inside_2
icmp permit any echo-reply inside_2
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside_1) 1 interface
nat (inside_1) 1 192.168.10.0 255.255.255.0
static (dmz,outside_2) 192.168.30.1 10.1.2.2 netmask 255.255.255.255
route outside_1 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username root password hTcSpHuGLTErwasr encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:b0a4079e123e6b3eece868eee6659ff9
: end

Nagaraja Thanthry Mon, 08/09/2010 - 09:19
User Badges:
  • Cisco Employee,

Hello,


When you disable nat control, the firewall will not compel you to configure

NAT between every interface pair. However, if you did configure NAT, the

firewall will apply those rules and perform NAT as usual.


Hope this helps.


Regards,


NT

Nay Myo Tun Wed, 11/17/2010 - 06:27
User Badges:

Hi NT ,

             Could you please help to advise? I have issue on my project . I have already setup the ASA 5510 and configured eth0 for outside ( security-level 0) , eth1 for DMZ (security-level 50 ) and eth3 for internal network ( security-level 100 ). I want to route / ftp to ping / ftp from each VLAN to another .

I have configured the necessary ACL to allow the traffic ( DMZ <=> Outside ) interfaces .

Using packet tracer from Outside to DMZ , the packet is allowed. But I can't ping / ftp from one interface to another . Pls. see the attached screen shot.


But according to your statement, "  If you are trying inter-vlan routing, then make sure that both sub-interfaces have a nameif and security level set to same value."


              Does it apply to DMZ , internal and external interfaces with diff security level ? Really appreciate your advise since I am now confused.

Antonio Brandao Wed, 11/17/2010 - 07:03
User Badges:

Hi Nay,


From where aren´t u able to ping who ? Only ping ? or U can´t reach the ftp server trought ftp services aswell ?


AB

underthesiege Mon, 08/09/2010 - 10:05
User Badges:

Hi,


Try using "same-security-traffic permit intra-interface" command not "inter-interface" Cause you want to route between the networks which are

logically connected to your ethernet0/1 interface which is the same interface for all your networks. And also after using this command

don't forget to change your Internet and DMZ interfaces security level because of security reasons,


Hope this helps,

Antonio Brandao Wed, 08/11/2010 - 00:47
User Badges:

Hi NT,


Is not my idea turn off nat on firewall I will need in future to give these vlans access to internet trought outside_1 interface.

Thanks anyway by your help.


Underthesiege,


Did both commands and still not working, from firewall I can ping both lan, but from vlan10 I m not able to ping any host on vlan20


So still no working, follow my updated conf :



fwljlpenglda1# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname fwljlpenglda1
domain-name default.domain.invalid
enable password fcAtuJXQCdxxcGDJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.501
description outside_internet
vlan 501
nameif outside_1
security-level 0
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/0.502
description outside_dmz
vlan 502    
nameif outside_2
security-level 0
ip address 10.1.2.2 255.255.255.0
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.10
description users_lan
vlan 10
nameif inside_1
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1.20
description serv_farm
vlan 20
nameif inside_2
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/1.40
description telephony
vlan 40
nameif inside_3
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/1.50
description guest_lan
vlan 50
nameif inside_4
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
description dmz
shutdown
nameif dmz
security-level 50
ip address 192.168.30.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list lan10 extended permit ip any any
access-list lan20 extended permit ip any any
pager lines 24
logging asdm informational
mtu outside_1 1500
mtu outside_2 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu dmz 1500
mtu management 1500
icmp permit any echo outside_1
icmp permit any echo-reply outside_1
icmp permit any echo inside_1
icmp permit any echo-reply inside_1
icmp permit any echo inside_2
icmp permit any echo-reply inside_2
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside_1) 1 interface
nat (inside_1) 1 192.168.10.0 255.255.255.0
static (dmz,outside_2) 192.168.30.1 10.1.2.2 netmask 255.255.255.255
static (inside_1,inside_2) 192.168.20.0 192.168.10.0 netmask 255.255.255.0
static (inside_2,inside_1) 192.168.10.0 192.168.20.0 netmask 255.255.255.0
access-group lan10 in interface inside_1
access-group lan20 in interface inside_2
route outside_1 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username root password hTcSpHuGLTErwasr encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:b0a4079e123e6b3eece868eee6659ff9
: end

Nagaraja Thanthry Wed, 08/11/2010 - 06:46
User Badges:
  • Cisco Employee,

Hello,


The static statements you have configured are incorrect. Please remove the

following lines:


no static (inside_1,inside_2) 192.168.20.0 192.168.10.0 netmask

255.255.255.0

no static (inside_2,inside_1) 192.168.10.0 192.168.20.0 netmask

255.255.255.0


Please configure the following lines:


static (inside_1,inside_2) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

static (inside_2,inside_1) 192.168.20.0 192.168.20.0 netmask 255.255.255.0


Hope this helps.


Regards,


NT

Antonio Brandao Wed, 08/11/2010 - 08:30
User Badges:

Hi NT,


Thanks it worked nicely. Is pinging now perfectly.

Great for that.


regards



Antonio

Hello Nagaraj,


I have same configuration and want to do communication between Two LAN SubInterface on ASA 5510 version 8.3.


I have tried to follow your given steps but no luck.

1) Same Security Level for Both VLAN Interface

2) Run command - same-security-traffic permit inter-interface.


Please guide what to do next. I am running latest verion of ASA 5510 version 8.3




ASA Configuration:


names
!
interface Ethernet0/0
description ASA Outside segment
speed 100
duplex full
nameif outside
security-level 0
ip address 62.173.33.67 255.255.255.240
!
interface Ethernet0/1
description VLAN AGGREGATION point
no nameif
no security-level
no ip address
!
interface Ethernet0/1.2
vlan 2
nameif INSIDE
security-level 100
ip address 192.168.172.1 255.255.255.0
!
interface Ethernet0/1.3
description LAN Segment
vlan 3
nameif LAN
security-level 100
ip address 192.168.173.1 255.255.255.0
!
interface Ethernet0/1.4
description VoIP network segment
vlan 4
nameif VOIP
security-level 90
ip address 192.168.174.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.175.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE
subnet 192.168.172.0 255.255.255.0
object network LAN
subnet 192.168.173.0 255.255.255.0
object network WEB_TEST
host 192.168.173.120
object network ISR
host 192.168.172.69
access-list outside-in extended permit tcp any object WEB_TEST eq www
access-list outside-in extended permit ip any object ISR
access-list vlan3-in extended permit tcp object WEB_TEST eq www any
access-list vlan2-in extended permit ip object ISR any
pager lines 24
mtu outside 1500
mtu INSIDE 1500
mtu LAN 1500
mtu VOIP 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network INSIDE
nat (INSIDE,outside) dynamic interface
object network LAN
nat (LAN,outside) dynamic interface
object network WEB_TEST
nat (LAN,outside) static 62.173.33.77
access-group outside-in in interface outside
access-group vlan3-in in interface LAN
route outside 0.0.0.0 0.0.0.0 62.173.33.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.172.150 255.255.255.255 LAN
http 192.168.173.100 255.255.255.255 LAN
http 192.168.173.150 255.255.255.255 LAN
http 192.168.175.150 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 192.168.172.150 255.255.255.255 INSIDE
ssh 192.168.173.100 255.255.255.255 LAN
ssh 192.168.173.150 255.255.255.255 LAN
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username Rakh password EV9pEo1UkhHJSbIW encrypted privilege 15
username Sigma password x0qPjGQ7LLxUxZ9k encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:77577f5b1d4d3927d0f656cf94dcd487
: end

Actions

This Discussion

Related Content