ASA 5505 router-as-a-stick, cant ping between VLANs

Unanswered Question
May 25th, 2012

Hi i am trying to get my ASA 5505 with 2 internal VLANs (voice and data) and external internet VLAN to run in router as a stick, and route between VLANS.

I cant get it working though:

From the data VLAN switchport i can ping 192.168.69.1 (local VLAN) but not 192.168.70.1 (the firewall IP on other VLAN)

Connecting to the voice VLAN switchport i can ping 192.168.70.1 (local VLAN) but not 192.168.69.1 (the firewall IP on other VLAN).

I have used Watchguard firewalls before and had this working instantly, with the ASA however it is a nightmare.

Can you please let me know what i am doing wrong and how i can make the ASA route between subnets?

Thanks,

Chris

Result of the command: "show running"

: Saved

:

ASA Version 8.4(4)

!

hostname ciscoasa

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

switchport access vlan 70

!

interface Ethernet0/7

switchport access vlan 70

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.69.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan70

no forward interface Vlan2

nameif voice

security-level 100

ip address 192.168.70.1 255.255.255.0

!

boot system disk0:/asa844-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-192.168.69.0

subnet 192.168.69.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-192.168.70.0

subnet 192.168.70.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.69.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list voice_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.70.0 255.255.255.0 192.168.69.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu voice 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

!

object network obj-192.168.69.0

nat (inside,voice) static 192.168.69.0

object network obj_any

nat (inside,outside) dynamic interface

object network obj-192.168.70.0

nat (voice,inside) static 192.168.70.0

access-group inside_access_in in interface inside

access-group voice_access_in in interface voice

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.69.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.69.0 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.69.5-192.168.69.254 inside

dhcpd enable inside

!

threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
varrao Fri, 05/25/2012 - 16:23

What is the license that you have on the device?

Thanks,
Varun Rao
Security Team,
Cisco TAC

cmorley@pvaxx.com Fri, 05/25/2012 - 16:27

Hi Varun, thanks for the fast reply.

It is the base license, from the licnese details in ASDM: 8 phy interfaces, 3 vlans, no vlan trunk ports, inside hosts unlimited.

Regards

varrao Fri, 05/25/2012 - 16:35

Hi,

With Base license you would have a dmz restricted license, if you do " show version" on cli, you would see it.

This means you can only have 2 regular zones which can communicate with each other and the 3rd one which is restricted, traffic can only be initiated from one vlan.

Here's the license doc:

http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html#wp190062

Thanks,
Varun Rao
Security Team,
Cisco TAC

Julio Carvaja Fri, 05/25/2012 - 16:36

Hello,

Important thing for you to know:

1- In order to allow ICMP packets to traverse the ASA you need to statefully inspect the ICMP protocol.

2- You cannot ping a distant interface , what does this mean? R/ if you are behind the inside interface you will be able to ping it but you will not be able to ping the outside interface Ip add or the DMZ interface Ip add. This is a built-in security meassure.

3- ASA 5505 with a Base license ( Traffic will only be allow ( unrestricted) from 2 vlans, the 3 one will be restricted, This means the 3 vlan will only be able to talk to one other interface not to both of them.

In order to change the behavior of the traffic that will be allow by the 3rd vlan you need the following command:

- no forward interface vlan #

To solve this you will need a plus license.

Regards,

Do rate all the helpful posts

Julio

Security Engineer

Actions

Login or Register to take actions

This Discussion

Posted May 25, 2012 at 4:16 PM
Stats:
Replies:4 Avg. Rating:5
Views:2447 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446