08-09-2010 04:08 AM - edited 03-11-2019 11:22 AM
Hi All,
I doing a lab with a ASA 5510 with a 2590 switch and I would like see a simple code example doing intervaln routing cisco asa 5510.
Now in my lab isn´t not working. Do it have some secret ??
Antonio
08-09-2010 06:07 AM
Hello,
If you are trying inter-vlan routing, then make sure that both
sub-interfaces have a nameif and security level set to same value.
int eth 0/0.1
nameif inside1
security-level 100
exit
int eth 0/0.2
nameif inside2
security-level 100
exit
Then also make sure that NAT is turned off.
no nat-control
Finally, configure rule to allow communication between two interfaces with
same security level.
same-security-traffic permit inter-interface
Also, make sure that the hosts in different vlans have their respective
gateways set to firewalls respective sub-interface IP.
Hope this helps.
Regards,
NT
08-09-2010 09:09 AM
Hi Nagaraja,
I did try it, but still not working, see below my actual conf.
One question, if disable my nat with no nat-control command, will I be able to do nat ?
fwljlpenglda1# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname fwljlpenglda1
domain-name default.domain.invalid
enable password fcAtuJXQCdxxcGDJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.501
description outside_internet
vlan 501
nameif outside_1
security-level 0
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/0.502
description outside_dmz
vlan 502
nameif outside_2
security-level 0
ip address 10.1.2.2 255.255.255.0
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.10
description users_lan
vlan 10
nameif inside_1
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1.20
description serv_farm
vlan 20
nameif inside_2
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/1.40
description telephony
vlan 40
nameif inside_3
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/1.50
description guest_lan
vlan 50
nameif inside_4
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
description dmz
shutdown
nameif dmz
security-level 50
ip address 192.168.30.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list lan10 extended permit ip any any
access-list lan20 extended permit ip any any
pager lines 24
logging asdm informational
mtu outside_1 1500
mtu outside_2 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu dmz 1500
mtu management 1500
icmp permit any echo outside_1
icmp permit any echo-reply outside_1
icmp permit any echo inside_1
icmp permit any echo-reply inside_1
icmp permit any echo inside_2
icmp permit any echo-reply inside_2
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside_1) 1 interface
nat (inside_1) 1 192.168.10.0 255.255.255.0
static (dmz,outside_2) 192.168.30.1 10.1.2.2 netmask 255.255.255.255
route outside_1 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username root password hTcSpHuGLTErwasr encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:b0a4079e123e6b3eece868eee6659ff9
: end
08-09-2010 09:19 AM
Hello,
When you disable nat control, the firewall will not compel you to configure
NAT between every interface pair. However, if you did configure NAT, the
firewall will apply those rules and perform NAT as usual.
Hope this helps.
Regards,
NT
11-17-2010 06:27 AM
Hi NT ,
Could you please help to advise? I have issue on my project . I have already setup the ASA 5510 and configured eth0 for outside ( security-level 0) , eth1 for DMZ (security-level 50 ) and eth3 for internal network ( security-level 100 ). I want to route / ftp to ping / ftp from each VLAN to another .
I have configured the necessary ACL to allow the traffic ( DMZ <=> Outside ) interfaces .
Using packet tracer from Outside to DMZ , the packet is allowed. But I can't ping / ftp from one interface to another . Pls. see the attached screen shot.
But according to your statement, " If you are trying inter-vlan routing, then make sure that both sub-interfaces have a nameif and security level set to same value."
Does it apply to DMZ , internal and external interfaces with diff security level ? Really appreciate your advise since I am now confused.
11-17-2010 07:03 AM
Hi Nay,
From where aren´t u able to ping who ? Only ping ? or U can´t reach the ftp server trought ftp services aswell ?
AB
08-09-2010 10:05 AM
Hi,
Try using "same-security-traffic permit intra-interface" command not "inter-interface" Cause you want to route between the networks which are
logically connected to your ethernet0/1 interface which is the same interface for all your networks. And also after using this command
don't forget to change your Internet and DMZ interfaces security level because of security reasons,
Hope this helps,
08-11-2010 12:47 AM
Hi NT,
Is not my idea turn off nat on firewall I will need in future to give these vlans access to internet trought outside_1 interface.
Thanks anyway by your help.
Underthesiege,
Did both commands and still not working, from firewall I can ping both lan, but from vlan10 I m not able to ping any host on vlan20
So still no working, follow my updated conf :
fwljlpenglda1# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname fwljlpenglda1
domain-name default.domain.invalid
enable password fcAtuJXQCdxxcGDJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.501
description outside_internet
vlan 501
nameif outside_1
security-level 0
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/0.502
description outside_dmz
vlan 502
nameif outside_2
security-level 0
ip address 10.1.2.2 255.255.255.0
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.10
description users_lan
vlan 10
nameif inside_1
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1.20
description serv_farm
vlan 20
nameif inside_2
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/1.40
description telephony
vlan 40
nameif inside_3
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/1.50
description guest_lan
vlan 50
nameif inside_4
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
description dmz
shutdown
nameif dmz
security-level 50
ip address 192.168.30.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list lan10 extended permit ip any any
access-list lan20 extended permit ip any any
pager lines 24
logging asdm informational
mtu outside_1 1500
mtu outside_2 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu dmz 1500
mtu management 1500
icmp permit any echo outside_1
icmp permit any echo-reply outside_1
icmp permit any echo inside_1
icmp permit any echo-reply inside_1
icmp permit any echo inside_2
icmp permit any echo-reply inside_2
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside_1) 1 interface
nat (inside_1) 1 192.168.10.0 255.255.255.0
static (dmz,outside_2) 192.168.30.1 10.1.2.2 netmask 255.255.255.255
static (inside_1,inside_2) 192.168.20.0 192.168.10.0 netmask 255.255.255.0
static (inside_2,inside_1) 192.168.10.0 192.168.20.0 netmask 255.255.255.0
access-group lan10 in interface inside_1
access-group lan20 in interface inside_2
route outside_1 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username root password hTcSpHuGLTErwasr encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:b0a4079e123e6b3eece868eee6659ff9
: end
08-11-2010 06:46 AM
Hello,
The static statements you have configured are incorrect. Please remove the
following lines:
no static (inside_1,inside_2) 192.168.20.0 192.168.10.0 netmask
255.255.255.0
no static (inside_2,inside_1) 192.168.10.0 192.168.20.0 netmask
255.255.255.0
Please configure the following lines:
static (inside_1,inside_2) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (inside_2,inside_1) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
Hope this helps.
Regards,
NT
08-11-2010 08:30 AM
Hi NT,
Thanks it worked nicely. Is pinging now perfectly.
Great for that.
regards
Antonio
02-23-2011 07:39 AM
Hello Nagaraj,
I have same configuration and want to do communication between Two LAN SubInterface on ASA 5510 version 8.3.
I have tried to follow your given steps but no luck.
1) Same Security Level for Both VLAN Interface
2) Run command - same-security-traffic permit inter-interface.
Please guide what to do next. I am running latest verion of ASA 5510 version 8.3
ASA Configuration:
names
!
interface Ethernet0/0
description ASA Outside segment
speed 100
duplex full
nameif outside
security-level 0
ip address 62.173.33.67 255.255.255.240
!
interface Ethernet0/1
description VLAN AGGREGATION point
no nameif
no security-level
no ip address
!
interface Ethernet0/1.2
vlan 2
nameif INSIDE
security-level 100
ip address 192.168.172.1 255.255.255.0
!
interface Ethernet0/1.3
description LAN Segment
vlan 3
nameif LAN
security-level 100
ip address 192.168.173.1 255.255.255.0
!
interface Ethernet0/1.4
description VoIP network segment
vlan 4
nameif VOIP
security-level 90
ip address 192.168.174.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.175.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE
subnet 192.168.172.0 255.255.255.0
object network LAN
subnet 192.168.173.0 255.255.255.0
object network WEB_TEST
host 192.168.173.120
object network ISR
host 192.168.172.69
access-list outside-in extended permit tcp any object WEB_TEST eq www
access-list outside-in extended permit ip any object ISR
access-list vlan3-in extended permit tcp object WEB_TEST eq www any
access-list vlan2-in extended permit ip object ISR any
pager lines 24
mtu outside 1500
mtu INSIDE 1500
mtu LAN 1500
mtu VOIP 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network INSIDE
nat (INSIDE,outside) dynamic interface
object network LAN
nat (LAN,outside) dynamic interface
object network WEB_TEST
nat (LAN,outside) static 62.173.33.77
access-group outside-in in interface outside
access-group vlan3-in in interface LAN
route outside 0.0.0.0 0.0.0.0 62.173.33.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.172.150 255.255.255.255 LAN
http 192.168.173.100 255.255.255.255 LAN
http 192.168.173.150 255.255.255.255 LAN
http 192.168.175.150 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 192.168.172.150 255.255.255.255 INSIDE
ssh 192.168.173.100 255.255.255.255 LAN
ssh 192.168.173.150 255.255.255.255 LAN
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username Rakh password EV9pEo1UkhHJSbIW encrypted privilege 15
username Sigma password x0qPjGQ7LLxUxZ9k encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:77577f5b1d4d3927d0f656cf94dcd487
: end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: