Allowing Traffick Between vlans on ASA5505

Roberto Kippins · ‎07-07-2013

I have a Cisco ASA5505 configured with 3 vlans outside = x.x.x.x \24, inside = 10.217.46.1 \ 27, and wifi = 10.217.46.33 \ 27. I have security plus liscense but i cant access anything in the inside if im on wifi or i cant access anything from wifi if im on inside cant even ping between vlans but access to the internet is working just fine on both sides any ideas.

Eddy Duran · ‎07-07-2013

Hello Robert,

What is the security level between interfaces? Would you mind sharing your configuration?

-Eddy Duran

Roberto Kippins · ‎07-07-2013

they are both at 100

Jouni Forss · ‎07-07-2013

Hi,

The easiest way to solve this would naturally to see the configuration.

The main things that might affect on the firewall side are

Missing interface ACL
Missing some NAT configuration (depending on software level of the ASA)
The interface "security-level" are set to identical which would block traffic between these interfaces if you DONT have "same-security-traffic permit inter-interface"

You can also take the "packet-tracer" output if you want to test the firewall configurations/rules

packet-tracer input inside tcp

packet-tracer input wifi tcp

One common problen with ICMP through the firewall is missing ICMP Inspection

It can be added with

fixup protocol imcp

fixup protocol icmp error

Or alternatively by entering

policy-map global_policy

class inspection_default

inspect icmp error

inspect icmp

- Jouni

Jouni Forss · ‎07-07-2013

Hi,

You need to add "same-security-traffic permit inter-interface" atleast

- Jouni