08-06-2013 06:37 PM - edited 03-11-2019 07:22 PM
Hello, Yes, I did read lots of post here on ASA5505 intervlan routing, I tried a few idea form few posts, but still I can not make this work
Packet tracer works,I can ping in between VLAN, but with a real device, I cant.
I have devices on VLAN 1 port 0/1 192.168.1.0 and I can not ping (or talk to) devices on VLAN12 192.168.10.0 port 0/5
I have build NAT and access lists, I guess I do not need routing as the 2 networks are directly connected...
Any ideas ?
Thanks !
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd b9rdqCG21C.trMZp encrypted
names
!
interface Vlan1
nameif House-LAN
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif ISP-OUTSIDE
security-level 0
ip address dhcp
!
interface Vlan12
nameif WIFI
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list WIFI extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list WIFI extended permit ip 192.168.10.0 255.255.255.0 xx.xx.xx.xx 255.255.255.0
access-list House-LAN extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list House-LAN extended permit ip 192.168.1.0 255.255.255.0 xx.xx.xx.xx 255.255.255.0
access-list ISP-OUTSIDE extended permit ip xx.xx.xx.xx 255.255.255.0 192.168.1.0 255.255.255.0
access-list ISP-OUTSIDE extended permit ip xx.xx.xx.xx 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu House-LAN 1500
mtu ISP-OUTSIDE 1500
mtu WIFI 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (ISP-OUTSIDE) 1 interface
nat (House-LAN) 0 access-list House-LAN
nat (House-LAN) 1 0.0.0.0 0.0.0.0
nat (ISP-OUTSIDE) 0 access-list ISP-OUTSIDE
nat (WIFI) 0 access-list WIFI
nat (WIFI) 1 0.0.0.0 0.0.0.0
route ISP-OUTSIDE 0.0.0.0 0.0.0.0 74.57.152.1 1
route WIFI 192.168.10.0 255.255.255.0 192.168.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 House-LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 House-LAN
ssh timeout 60
ssh version 2
console timeout 0
dhcp-client client-id interface ISP-OUTSIDE
dhcpd auto_config ISP-OUTSIDE
!
dhcpd address 192.168.1.5-192.168.1.36 House-LAN
dhcpd dns 8.8.8.8 interface House-LAN
dhcpd domain homelab.com interface House-LAN
dhcpd enable House-LAN
!
dhcpd address 192.168.10.5-192.168.10.150 WIFI
dhcpd dns 8.8.8.8 interface WIFI
dhcpd domain homelab.com interface WIFI
dhcpd enable WIFI
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server xx.xx.xx.xx source ISP-OUTSIDE prefer
webvpn
username jbachman password tvTwKjq/0Pm2Xeh6 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d7043c017eea909d8dcabf0e3649fc14
: end
Solved! Go to Solution.
08-06-2013 09:46 PM
Hello John,
Check the following command you have here:
route WIFI 192.168.10.0 255.255.255.0 192.168.0.2 1
That's wrong as 192.168.10.0 is directly connected to the ASA , you should not need to send the packets to the 0.2 device.
Do:
no route WIFI 192.168.10.0 255.255.255.0 192.168.0.2 1
Besides that I do not see any configuration issues,
Let me know how it goes after changing that, if does not work we will move to captures
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-09-2013 12:44 PM
John,
I tested everything in my lab using version 8.0, configured the inside and DMZ interfaces with same security interface, configured same-security-traffic command and all are working fine.
Let me ask you, are you using a router or unmanaged switch behind the ASA's inside interface? what is the default gateway of your internal hosts?
Can you talk more about your internal connectivity?
Regards,
AM
08-06-2013 09:46 PM
Hello John,
Check the following command you have here:
route WIFI 192.168.10.0 255.255.255.0 192.168.0.2 1
That's wrong as 192.168.10.0 is directly connected to the ASA , you should not need to send the packets to the 0.2 device.
Do:
no route WIFI 192.168.10.0 255.255.255.0 192.168.0.2 1
Besides that I do not see any configuration issues,
Let me know how it goes after changing that, if does not work we will move to captures
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-06-2013 09:48 PM
Hi,
Could you please provide the resut of these commands?
packet-tracer input House-LAN icmp 192.168.1.x 8 0 192.168.10.x
and vice-versa
packet-tracer input WIFI icmp 192.168.10.x 8 0 192.168.1.x
Also, can you remove both NAT exemptions and create only a single Identity NAT for the House-LAN subnet?
For example,
nat (House-LAN) 0 192.168.1.0 255.255.255.0
Regards,
AM
08-07-2013 01:21 PM
Thank you Julio and AM
Here is the output:
Packet gets dropped by an implicit rule, "deny all" but I am suppose to INSPECT icmp according to the global_policy map in place:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
ciscoasa(config)# packet-tracer input House-LAN icmp 192.168.1.1 8 0 192.168.10.1
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.10.1 255.255.255.255 identity
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: House-LAN
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa(config)# packet-tracer input WIFI icmp 192.168.10.1 8 0 192.168.1.1
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.1 255.255.255.255 identity
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: WIFI
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
08-07-2013 04:02 PM
Is ICMP considered an IP packet or do I need to allow ICMP as well ?
08-07-2013 05:49 PM
Hi,
Don't use ASAs interface IP addresses in the "packet-tracer". If you do the "packet-tracer" will always fail. Use some other random address from both of the networks and after that the output should reflect the true situation.
Add yes, IP contains ICMP also.
- Jouni
08-07-2013 06:05 PM
You are right.
I tried it, and got a lot more results. I will check these out and post them here....
thanks !
08-07-2013 07:37 PM
Yes, when i said run packet tracer, i meant to use the any device address on each VLAN not the ASA interfaces.
Also, i noticed 1 implicit deny on the House-LAN and WIFI beside the permit rule. It should be only one implicit permit rule for each high security level interfaces. The same security traffic also is enabled and traffic should traverse between those interfaces with no problems.
Please run packet tracer again using actual device addresses.
Regards,
AM
08-08-2013 01:38 PM
Thanks, I found where it is denied, but looking a the config, il looks OK for me.
I stared and compared the 2 networks, it all looks good.
When I ping 192.168.10.12 from 192.168.1.8 all is good.
packet-tracer input house-LAN icmp 192.168.1.8 8 0 192.168.10.12
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.10.0 255.255.255.0 WIFI
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip House-LAN 192.168.1.0 255.255.255.0 WIFI 192.168.10.0 255.255.255.0
NAT exempt
translate_hits = 268, untranslate_hits = 99
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (House-LAN) 1 0.0.0.0 0.0.0.0
match ip House-LAN any WIFI any
dynamic translation to pool 1 (No matching global)
translate_hits = 57, untranslate_hits = 0
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (House-LAN) 1 0.0.0.0 0.0.0.0
match ip House-LAN any House-LAN any
dynamic translation to pool 1 (No matching global)
translate_hits = 7, untranslate_hits = 0
Additional Information:
Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (WIFI) 1 0.0.0.0 0.0.0.0
match ip WIFI any House-LAN any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 12
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (WIFI) 1 0.0.0.0 0.0.0.0
match ip WIFI any House-LAN any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 158286, packet dispatched to next module
Result:
input-interface: House-LAN
input-status: up
input-line-status: up
output-interface: WIFI
output-status: up
output-line-status: up
Action: allow
But when I ping 192.168.1.8 from 192.168.10.12 it fails:
packet-tracer input house-LAN icmp 192.168.10.12 8 0 192.168.1.8
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 House-LAN
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
match ip House-LAN 192.168.1.0 255.255.255.0 House-LAN 192.168.10.0 255.255.255.0 -HOUSE-LAN ASSOCIATED WITH 192.168.10.0 ????? This is the problem...
NAT exempt
translate_hits = 0, untranslate_hits = 8
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: DROP
Config:
nat (House-LAN) 1 0.0.0.0 0.0.0.0
match ip House-LAN any House-LAN any ---- what is this ????
dynamic translation to pool 1 (No matching global)
translate_hits = 8, untranslate_hits = 0
Additional Information:
Result:
input-interface: House-LAN
input-status: up
input-line-status: up
output-interface: House-LAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd b9rdqCG21C.trMZp encrypted
names
!
interface Vlan1
nameif House-LAN
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif ISP-OUTSIDE
security-level 0
ip address dhcp
!
interface Vlan12
nameif WIFI
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list WIFI extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list WIFI extended permit ip 192.168.10.0 255.255.255.0 xx.xx.xx.xx 255.255.255.0
access-list House-LAN extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list House-LAN extended permit ip 192.168.1.0 255.255.255.0 xx.xx.xx.xx 255.255.255.0
access-list ISP-OUTSIDE extended permit ip xx.xx.xx.xx 255.255.255.0 192.168.1.0 255.255.255.0
access-list ISP-OUTSIDE extended permit ip xx.xx.xx.xx 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu House-LAN 1500
mtu ISP-OUTSIDE 1500
mtu WIFI 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (ISP-OUTSIDE) 1 interface
nat (House-LAN) 0 access-list House-LAN
nat (House-LAN) 1 0.0.0.0 0.0.0.0
nat (ISP-OUTSIDE) 0 access-list ISP-OUTSIDE
nat (WIFI) 0 access-list WIFI
nat (WIFI) 1 0.0.0.0 0.0.0.0
route ISP-OUTSIDE 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 House-LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 House-LAN
ssh timeout 60
ssh version 2
console timeout 0
dhcp-client client-id interface ISP-OUTSIDE
dhcpd auto_config ISP-OUTSIDE
!
dhcpd address 192.168.1.5-192.168.1.36 House-LAN
dhcpd dns 24.200.241.37 interface House-LAN
dhcpd domain homelab.com interface House-LAN
dhcpd enable House-LAN
!
dhcpd address 192.168.10.5-192.168.10.150 WIFI
dhcpd dns 8.8.8.8 interface WIFI
dhcpd domain homelab.com interface WIFI
dhcpd enable WIFI
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 66.46.33.9 source ISP-OUTSIDE prefer
webvpn
username jbachman password tvTwKjq/0Pm2Xeh6 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:540ec0c8a87fb490bf587e36c6fe792b
: end
08-08-2013 05:27 PM
The output and the input are the same interface, that's why the NAT fails translation...
Result:
input-interface: House-LAN
input-status: up
input-line-status: up
output-interface: House-LAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
08-08-2013 05:56 PM
Hello,
Exactly, since the first post we saw that,
But that is because you are doing the packet tracer wrong.
It's packet-tracer input WIFI icmp 192.168.10.12 8 0 192.168.1.8
Please read the following http://www.laguiadelnetworking.com/the-usage-of-the-packet-tracer-feature-on-the-asa/
Cheers,
Julio Carvajal Segura
08-08-2013 06:44 PM
Thanks for the link Julio. Very first time with Packet Tracer....
Well, now with this method, Packet Tracer works, both sides.
Still as I said on my first post, I still canr ping from 192.168.10.12 to 192.168.1.8... Other way works...
I got oneway ping.... I might just format the whole thing....
08-09-2013 12:01 AM
Hello,
Dont do that I bet that if we do captures we will see where the problem is but before providing you the capture syntax.
Can you check if the windows firewall is disabled on both units?
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-09-2013 08:02 AM
OK, you are correct. I have disable the W7 Firewall on the PC and ping works. Then I have reenabled it and configured a rule to allow ping into the PC. That's weird because I never had problems before I installed the ASA5505, and the ASA should be open for everything between inside interfaces ...
Anyways, pings works, and I have disable W7 firewall to keep on troubleshooting. - (to get it out of the way fro now)
Now I have airvideo running on the PC (using Bonjour!) , and same thing, the airvideo running on the ipad (wifi) on VLAN12 connot connect to the PC on land lan vlan1. So I do have a problem the ASA blocking ports even if I did configure the ASA rules to allow any any between the interfaces...
It is as VLAN routing is actually working, but not enabled for all the L4 potocols and ports betwwen inside interfaces,even if I have opened everything, and all interfaces are at the same security level... Well this CCNA security cert is giving me good learning challanges...
I am working on this issue now.
08-09-2013 08:21 AM
Does the global policy applys only for outside interface ?
Or is is also applied in between interfaces ?
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide