Inter VLAN-Routing ASA 5505

Answered Question
Jul 9th, 2012
User Badges:

Hello,


Ive been readin all over the internet (including this site) trying to figure out if the asa can handle intervlan routing. Im not sure what I am missing on my config to get this to work.  Ive read that it can work and Ive read that it cant work.  Can someone lead me in the right direction on how to get this to work on my asa 5505.


Here is my setup


Cable Modem ---> ASA (eth0/0) 

                                   (eth0/2) -->unmanaged switch for LAN connectivity

                                   (eth0/3) --> Access point for wireless LAN connectivty


My config is attached


What I would like to do is be able to communicate between vlan3(LAN) and vlan4(Wireless LAN)


Whats strange is I can RDP between the two vlans but I cant ping or anything else.


Any help is appreciated!

Correct Answer by Ramraj Sivagnan... about 5 years 3 weeks ago

Hi Bro

I believe everything is working fine now. Please do paste your latest config here, so that the others could learn from your experience as well.




P/S: If you think this comment is useful, please do rate them nicely :-)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Jouni Forss Mon, 07/09/2012 - 22:33
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Personally I would do the following


1.) Change the wifi interface security-level to something like 99

2.) remote the nat command: static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

3.) Configure icmp inspection so ICMP will pass through without opening both directions for the traffic (echo and reply)

4.) Build access-lists for each interface even though they might be simple


One option with the NAT you have is ofcourse using NAT0/NAT Exempt to tell the ASA that no translation between these networks will be done. Then again I think the ASA doesnt have the "nat-control" configured at the moment so removing both the static translations should still mean your 2 LAN networks should be able to reach each other wihtout using NAT.


- Jouni

Jouni Forss Mon, 07/09/2012 - 22:33
User Badges:
  • Super Bronze, 10000 points or more

The ICMP inspection configuration was


policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

Garland Moore Tue, 07/10/2012 - 21:27
User Badges:

JouniForss, thanks for your response.  I tried your suggested step and I was still unable to talk between the two vlans.  Is my approach to this scenario wrong.  I know ASA arent typically used as Layer devices but from what Ive been reading it can be done.


From my reading it seems like the following alone should allow me to talk across the vlans:


static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0


same-security-traffic permit inter-interface

same-security-traffic permit intra-interface


Sorry for all the questions, Im familiar with routing and switching.  The ASA is kind of a different beast.


Another thing thats weird to me is that, when I do a packet trace is states that the packet is allowed.  Any help is appreciated.

Jouni Forss Tue, 07/10/2012 - 23:22
User Badges:
  • Super Bronze, 10000 points or more

Hi,


There should be no problem using the ASA in this kind of setup. Though I'm more used to doing this with the other ASA models. ASA 5510 and onwards where the interface configurations change compared to the ASA5505 (no actual switch ports)


The "same-security-traffic" command basically either permit traffic between interfaces with same security-level or allow traffic to be sent out the same interface it originally came from. In this case only one of them should apply.


Seems strange to me that you can indeed use RDP connections but nothing else works. One would think the problem stems from something else than the firewall settings if some connections go through


Have you been able to send ICMP through the firewall after adding the commands I mentioned? There shouldnt be anything preventhing the Echos/Echo replys other than the devices sending them.


If you want to allow icmp echos on you ASAs interfaces you can use the command


icmp permit any


This command allows you to ping the ASAs interfaces. Notice though that you cant ping a ASA interface behind another ASA interface. You can only ping the interface behind which you are connected.


I typically allow ICMP on all interfaces that arent connected to public network/Internet.


Naturally, if you have some TCP connection that you can use to test traffic between these Vlans, try it out and at the same time monitor the traffic through ASDM and see what happens to the connection. Does the connection get built on the ASA but is it beeing torn down by SYN Timeout or whats happening?


- Jouni

Garland Moore Wed, 07/11/2012 - 22:00
User Badges:

So Ive made the changes you suggested but Im still unable to get the functionality I am looking for. My config is below after the changes.


ASA Version 8.2(2)

!

hostname frw01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

no forward interface Vlan4

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

!

interface Vlan4

nameif inside

security-level 99

ip address 172.16.1.1 255.255.255.0

!

interface Vlan5

nameif insidewifi

security-level 100

ip address 172.16.2.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 4

!

interface Ethernet0/3

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type DefaultICMP

description Default ICMP Types permitted

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list icmp_outside extended permit icmp any any object-group DefaultICMP

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any insidewifi

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-group icmp_outside in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

!

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay timeout 60


threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username ******** password PNUmTwjDhevRqhkT encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3fcbac02b3e4b4e6919cf34a9137b4fb







Below is the error message that I receive when trying to connect to an access point on a different subnet.


2Jul 11 201223:52:18106001172.16.1.20050262172.16.2.180Inbound TCP connection denied from 172.16.1.200/50262 to 172.16.2.1/80 flags SYN  on interface inside


Maybe I have some over kill here and should start from scratch and change my approach.  It seems that my like of experience with the asa is part of the issue.


Suggestions or thoughts?

Jouni Forss Wed, 07/11/2012 - 23:26
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Seems to me that the log message implies that the host (inside) 172.16.1.200 is connecting to the ASA interface (insidewifi). (TCP SYN to interface IP)


This will naturally be blocked. In the same way an ICMP from behind the "inside" interface to the "insidewifi" would be blocked.


Why are you connecting to the ASA interface IP?


- Jouni

Jouni Forss Wed, 07/11/2012 - 23:34
User Badges:
  • Super Bronze, 10000 points or more

Also,


Have you considered configuring a trunk between the ASA 5505 and the local switch? Since at the moment you just have access ports for all the Vlan interfaces on the ASA.


I presume you have gotten the ASA with something else than the Base license since you have over 3 interfaces on it. To my understanding.


Unfortunately i so rarely deal with the ASA5505 that I have forgotten some of the differences it has to the later models.


- Jouni

Garland Moore Thu, 07/12/2012 - 06:27
User Badges:

The log above was generated when trying to ping a host on a different vlan.  I wasnt attempting to connect to the ASA interface IP/  The switch connected to the ASA is an unmanaged switch so I didnt think a trunk was necessary since everything connected to that switch will be on the same vlan.


The ASA does have a Security Plus license.

Jouni Forss Mon, 07/16/2012 - 02:12
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I guess by ping you are refering to some application testing TCP traffic (sameway the newer ASA software versions have TCP ping)? An actual ICMP echo wouldnt generate that message.


I assume the unmanaged switch is only connected to the port Ethernet0/2 on the ASA? (only for interface "inside" users)


- Jouni

Ramraj Sivagnan... Mon, 07/16/2012 - 02:35
User Badges:
  • Silver, 250 points or more

Hi Bro

Based on your requirement as stated in this subject, you want to PING between Vlan3 and Vlan4. This is not hard. Just follow the comments I've give you below, and you will do just fine :-)


!
interface Vlan3
no forward interface Vlan4  <-- remove this line!!!!!!!!!!!!!!!
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!


object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo <-- add this!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded


no access-list icmp_outside extended permit icmp any any object-group DefaultICMP
no access-group icmp_outside in interface outside


access-list guest permit icmp any any object-group DefaultICMP
access-list guest deny ip any any log
access-group guest in interface guest


access-list inside permit icmp any any object-group DefaultICMP
access-list inside deny ip any any log
access-group inside in interface inside


static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0


By the way, could you also paste the output of this command "show threat-detection shun" here, as well.


If this still doesn't work, paste your latest show run output here. This should be easy and fast :-) Good luck bro

Garland Moore Mon, 07/16/2012 - 19:14
User Badges:

Ramraj, thanks for your response!  Here what Im attempting to do...


I would like to have 4 VLANs


Vlan2 -- Outside

Vlan3 -- Guest Wifi

Vlan4 -- Inside LAN

Vlan5 -- Inside LAN Wifi


I would like to allow any communication between Vlan 4 and Vlan 5.

I would then like Vlan4 and Vlan5 to access Vlan 3 but not vice versa (not critical for this functionality to work)

I would like all the Vlans to have access to the internet.


I know the ASA is not a router but can act as one (kinda).  The "show threat-detection shun" command didnt return any results.  I appreciate any assistance with helping me get this up and running. 



Here is my latest config



: Saved

:

ASA Version 8.2(2)

!

hostname frw01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

!

interface Vlan4

nameif inside

security-level 99

ip address 172.16.1.1 255.255.255.0

!

interface Vlan5

nameif insidewifi

security-level 100

ip address 172.16.2.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 4

!

interface Ethernet0/3

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type DefaultICMP

description Default ICMP Types permitted

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list icmp_outside extended permit icmp any any object-group DefaultICMP

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any insidewifi

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-group icmp_outside in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

!

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay timeout 60


threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username ***** password PNUmTwjDhevRqhkT encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

Ramraj Sivagnan... Mon, 07/16/2012 - 22:56
User Badges:
  • Silver, 250 points or more

Hi Bro

Please delete / write erase your present FW configuration, and paste the configuration shown below. This will work. I've done it too many times, to know this will work :-)


Please ensure the hub or switch connected to each of the FW interface is different, for security and network performance purposes e.g. Ethernet0/0 - 0/3.


As for the rules portion, let's keep it loose for now. Once all is good, we can then tighten them yaa :-)


Let me know how it goes...


!
hostname FW01
enable password cisco
passwd cisco
!
interface Vlan2
description ### Link to Internet ###
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
description ### Link to GUEST WIFI  ###
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
description ### Link to INSIDE LAN ###
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan5
description ### Link to INSIDE WIFI ###
nameif insidewifi
security-level 50
ip address 172.16.2.1 255.255.255.0
!
interface Ethernet0/0
description ### Link to Internet ###
switchport access vlan 2
!
interface Ethernet0/1
description ### Link to GUEST WIFI  ###
switchport access vlan 3
!
interface Ethernet0/2
description ### Link to INSIDE LAN ###
switchport access vlan 4
!
interface Ethernet0/3
description ### Link to INSIDE WIFI ###
switchport access vlan 5
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!

no nat-control

!
same-security-traffic permit inter-interface
!
access-list inside extended permit ip any any
access-list outside extended permit ip any any
access-list guest extended permit ip any any
access-list insidewifi extended permit ip any any

access-group outside in interface outside
access-group inside in interface inside
access-group guest in interface guest
access-group insidewifi in interface insidewifi


global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 1 172.16.2.0 255.255.255.0

aaa authentication ssh console LOCAL
aaa authentication http console LOCAL

http server enable
http 172.16.1.0 255.255.255.0 inside

username cisco password cisco privilege 15

ssh 172.16.1.0 255.255.255.0 inside

management-access inside

dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay timeout 60
dhcprelay setroute guest
dhcprelay setroute insidewifi

Garland Moore Tue, 07/17/2012 - 21:01
User Badges:

Ok, so I took your advice and pasted your config.  Now the only host on the inside vlan can get to the internet.  The other vlans get ip addresses but that it.  Ive gotta be missing something simple here.


Here is my config:



hostname FW01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

description ### Link to Internet ###

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

description ### Link to GUEST WIFI  ###

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

!

interface Vlan4

description ### Link to INSIDE LAN ###

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Vlan5

description ### Link to INSIDE WIFI ###

nameif insidewifi

security-level 50

ip address 172.16.2.1 255.255.255.0

!

interface Ethernet0/0

description ### Link to Internet ###

switchport access vlan 2

!

interface Ethernet0/1

description ### Link to GUEST WIFI  ###

switchport access vlan 3

!

interface Ethernet0/2

description ### Link to INSIDE LAN ###

switchport access vlan 4

!

interface Ethernet0/3

description ### Link to INSIDE WIFI ###

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

same-security-traffic permit inter-interface

access-list inside extended permit ip any any

access-list outside extended permit ip any any

access-list guest extended permit ip any any

access-list insidewifi extended permit ip any any

pager lines 24

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

access-group outside in interface outside

access-group guest in interface guest

access-group inside in interface inside

access-group insidewifi in interface insidewifi

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

dhcpd ping_timeout 750

!

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay setroute guest

dhcprelay setroute insidewifi

dhcprelay timeout 60


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username ****** password PNUmTwjDhevRqhkT encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:28bf26da86f44244c8f0e4768f75ee70

: end

Ramraj Sivagnan... Tue, 07/17/2012 - 21:14
User Badges:
  • Silver, 250 points or more

Hi Bro

You Cisco ASA config is good but I'm suprised only INSIDE can access the Internet. Can you confirm the following;


a) LAN users in insidewifi and guest can PING to its' gateway i.e. the Cisco ASA itself?

b) LAN users in insidewifi and guest can PING to any Public IP Address e.g. 8.8.8.8?

c) LAN users in insidewifi and guest can PING to any Public FQDN e.g. www.yahoo.com?

d) Is the DNS Server settings in insidewifi and guest correct? as in it's the same as inside users. Is the nslookup output the same?

e) Can you paste the show xlate, and show access-list output here?

Garland Moore Tue, 07/17/2012 - 22:22
User Badges:

I added the static nat commands below and my Vlans can now talk to the internet.


static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0


Are these necessary?

Ramraj Sivagnan... Tue, 07/17/2012 - 22:37
User Badges:
  • Silver, 250 points or more

This Is weird :-) I've never seen anything like this before. Are you sure you have keyed in the command "no nat-ncontrol"?

Garland Moore Wed, 07/18/2012 - 20:02
User Badges:

Bro,


From my understanding the ASA 5505 has nat control disabled by default.  I issued the command anyway, and removed the static nat commands but I was still unable to access the internet. The only way internet access will work is if I have the static NAT commands.


Here is the config



ASA Version 8.2(2)

!

hostname FW01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

description ### Link to Internet ###

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

description ### Link to GUEST WIFI  ###

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

!

interface Vlan4

description ### Link to INSIDE LAN ###

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Vlan5

description ### Link to INSIDE WIFI ###

nameif insidewifi

security-level 50

ip address 172.16.2.1 255.255.255.0

!

interface Ethernet0/0

description ### Link to Internet ###

switchport access vlan 2

!

interface Ethernet0/1

description ### Link to GUEST WIFI  ###

switchport access vlan 3

!

interface Ethernet0/2

description ### Link to INSIDE LAN ###

switchport access vlan 4

!

interface Ethernet0/3

description ### Link to INSIDE WIFI ###

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

same-security-traffic permit inter-interface

access-list inside extended permit ip any any

access-list outside extended permit ip any any

access-list guest extended permit ip any any

access-list insidewifi extended permit ip any any

pager lines 24

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

access-group guest in interface guest

access-group inside in interface inside

access-group insidewifi in interface insidewifi

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

dhcpd ping_timeout 750

!

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay setroute guest

dhcprelay setroute insidewifi

dhcprelay timeout 60


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username ******** password PNUmTwjDhevRqhkT encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6599fa7a5e196a7dfaa544f75cd64ae7

: end

Correct Answer
Ramraj Sivagnan... Sun, 07/22/2012 - 13:17
User Badges:
  • Silver, 250 points or more

Hi Bro

I believe everything is working fine now. Please do paste your latest config here, so that the others could learn from your experience as well.




P/S: If you think this comment is useful, please do rate them nicely :-)

Garland Moore Sun, 07/22/2012 - 13:40
User Badges:

Here is the working config.  Many thanks to Ramraj for his assistance!!!!!



ASA Version 8.2(2)

!

hostname FW01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

dns-guard

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

description ### Link to Internet ###

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

description ### Link to GUEST WIFI  ###

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

!

interface Vlan4

description ### Link to INSIDE LAN ###

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Vlan5

description ### Link to INSIDE WIFI ###

nameif insidewifi

security-level 50

ip address 172.16.2.1 255.255.255.0

!

interface Ethernet0/0

description ### Link to Internet ###

switchport access vlan 2

!

interface Ethernet0/1

description ### Link to GUEST WIFI  ###

switchport access vlan 3

!

interface Ethernet0/2

description ### Link to INSIDE LAN ###

switchport access vlan 4

!

interface Ethernet0/3

description ### Link to INSIDE WIFI ###

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

banner exec

banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********

banner exec *

banner exec *      This system is for the use of authorized users only.

banner exec *      Individuals using this system are subject to having all of their

banner exec *      activities on this system monitored and recorded by system

banner exec *      personnel.

banner exec *

banner exec *      Anyone using this system expressly consents to such monitoring

banner exec *      and is advised that if such monitoring reveals possible

banner exec *      evidence of criminal activity, system personnel may provide the

banner exec *      evidence of such monitoring to law enforcement officials.

banner exec *

banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********

banner exec

banner exec

banner exec Name:.......FW01

banner exec Address:....**********

banner exec Location:...CST -5

ftp mode passive

clock timezone CST -5

same-security-traffic permit inter-interface

access-list inside extended permit ip any any

access-list outside extended permit ip any any

access-list guest extended permit udp any host 172.16.1.102 eq domain

access-list guest extended permit udp any host 172.16.1.103 eq domain

access-list guest extended permit udp any any range bootps tftp

access-list guest extended deny ip any 172.16.1.0 255.255.255.0 log

access-list guest extended deny ip any 172.16.2.0 255.255.255.0 log

access-list guest extended permit ip any any

access-list insidewifi extended permit ip any any

no pager

logging enable

logging list TEST level alerts

logging buffered debugging

logging mail TEST

logging from-address *firewall domain name*

logging recipient-address *enter email address here* level errors

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

ip audit name FW01-INFO info action alarm

ip audit name FW01-ATTACK attack action alarm reset

ip audit interface outside FW01-INFO

ip audit interface outside FW01-ATTACK

ip audit signature 2000 disable

ip audit signature 2001 disable

ip audit signature 2004 disable

ip audit signature 2005 disable

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any guest

icmp permit any inside

icmp permit any insidewifi

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-group outside in interface outside

access-group guest in interface guest

access-group inside in interface inside

access-group insidewifi in interface insidewifi

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

fragment chain 1 outside

sysopt noproxyarp outside

service resetoutside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

dhcpd ping_timeout 750

!

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay setroute guest

dhcprelay setroute insidewifi

dhcprelay timeout 60


threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.0.0

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 211.233.40.78

ntp server 61.153.197.226

ntp server 202.150.213.154 prefer

webvpn

username *username here* password PNUmTwjDhevRqhkT encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

smtp-server 173.194.79.109

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:69ead0d0578ac025238d9a7a25f48f13

Julio Carvajal Sun, 07/22/2012 - 15:03
User Badges:
  • Purple, 4500 points or more

Hello Garland,


Here is what I want you to try to make this work:

Add the following commands

1- fixup protocol ICMP

2-static (guest,inside) 172.16.10.0  172.16.10.0 netmask 255.255.255.0


Then try to ping from inside to guest, and backwards if that does not work do the following:


packet-tracer input inside icmp 172.16.1.20 8 0 172.16.10.10

packet-tracer input guest icmp 172.16.10.10. 8 0 172.16.1.20


Regards,


The CSC is a free support community, take your time to rate all of the engineers support

mach825 Tue, 10/22/2013 - 08:03
User Badges:

Hello all,


I am struggling to get intervlan routing to function properly on my ASA 5505.  I have a security plus license.  The VLANs I am dealing with are inside, Developer, and outside. 


interface Ethernet0/0

description outside

switchport access vlan 2


interface Ethernet0/2

description inside

switchport trunk allowed vlan 1,24


interface Ethernet0/6

description Wireless Access Point

switchport trunk allowed vlan 1,24

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/7

description Wireless Access Point

switchport trunk allowed vlan 1,24

switchport trunk native vlan 1

switchport mode trunk


interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address nnn.nn.nn.nnn 255.255.255.0

!

interface Vlan24

nameif Developer

security-level 100

ip address 192.168.24.1 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

access-list acl-inside_dev extended permit ip any any

access-list acl-Developer extended permit ip any any


access-group acl-inside_dev in interface inside

access-group acl-Developer in interface Developer


Thanks,

Shannon

Actions

This Discussion

Related Content