Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 InterVLAN routing...

Hello, Yes, I did read lots of post here on ASA5505 intervlan routing, I tried a few idea form few posts, but still I can not make this work

Packet tracer works,I can ping in between VLAN, but with a real device, I cant.

I have devices on VLAN 1 port 0/1 192.168.1.0  and I can not ping (or talk to) devices on VLAN12 192.168.10.0 port 0/5

I have build NAT and access lists, I guess I do not need routing as the 2 networks are directly connected...

Any ideas ?

Thanks !

                

ASA Version 8.2(1)

!

hostname ciscoasa

enable password 9jNfZuG3TC5tCVH0 encrypted

passwd b9rdqCG21C.trMZp encrypted

names

!

interface Vlan1

nameif House-LAN

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif ISP-OUTSIDE

security-level 0

ip address dhcp

!

interface Vlan12

nameif WIFI

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!            

interface Ethernet0/1

!            

interface Ethernet0/2

!            

interface Ethernet0/3

!            

interface Ethernet0/4

!            

interface Ethernet0/5

switchport access vlan 12

!            

interface Ethernet0/6

!            

interface Ethernet0/7

!            

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list WIFI extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list WIFI extended permit ip 192.168.10.0 255.255.255.0 xx.xx.xx.xx 255.255.255.0

access-list House-LAN extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list House-LAN extended permit ip 192.168.1.0 255.255.255.0 xx.xx.xx.xx 255.255.255.0

access-list ISP-OUTSIDE extended permit ip xx.xx.xx.xx 255.255.255.0 192.168.1.0 255.255.255.0

access-list ISP-OUTSIDE extended permit ip xx.xx.xx.xx 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu House-LAN 1500

mtu ISP-OUTSIDE 1500

mtu WIFI 1500

no failover  

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (ISP-OUTSIDE) 1 interface

nat (House-LAN) 0 access-list House-LAN

nat (House-LAN) 1 0.0.0.0 0.0.0.0

nat (ISP-OUTSIDE) 0 access-list ISP-OUTSIDE

nat (WIFI) 0 access-list WIFI

nat (WIFI) 1 0.0.0.0 0.0.0.0

route ISP-OUTSIDE 0.0.0.0 0.0.0.0 74.57.152.1 1

route WIFI 192.168.10.0 255.255.255.0 192.168.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 House-LAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 House-LAN

ssh timeout 60

ssh version 2

console timeout 0

dhcp-client client-id interface ISP-OUTSIDE

dhcpd auto_config ISP-OUTSIDE

!            

dhcpd address 192.168.1.5-192.168.1.36 House-LAN

dhcpd dns 8.8.8.8 interface House-LAN

dhcpd domain homelab.com interface House-LAN

dhcpd enable House-LAN

!            

dhcpd address 192.168.10.5-192.168.10.150 WIFI

dhcpd dns 8.8.8.8  interface WIFI

dhcpd domain homelab.com interface WIFI

dhcpd enable WIFI

!            

             

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server xx.xx.xx.xx source ISP-OUTSIDE prefer

webvpn       

username jbachman password tvTwKjq/0Pm2Xeh6 encrypted privilege 15

!            

class-map inspection_default

match default-inspection-traffic

!            

!            

policy-map type inspect dns preset_dns_map

parameters  

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

!            

service-policy global_policy global

prompt hostname context

Cryptochecksum:d7043c017eea909d8dcabf0e3649fc14

: end       

2 ACCEPTED SOLUTIONS

Accepted Solutions

ASA 5505 InterVLAN routing...

Hello John,

Check the following command you have here:

route WIFI 192.168.10.0 255.255.255.0 192.168.0.2 1

That's wrong as 192.168.10.0 is directly connected to the ASA , you should not need to send the packets to the 0.2 device.

Do:

no route WIFI 192.168.10.0 255.255.255.0 192.168.0.2 1

Besides that I do not see any configuration issues,

Let me know how it goes after changing that, if does not work we will move to captures

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: ASA 5505 InterVLAN routing...

John,

I tested everything in my lab using version 8.0,  configured the inside and DMZ interfaces with same security interface,  configured same-security-traffic command and all are working fine.

Let  me ask you, are you using a router or unmanaged switch behind the ASA's  inside interface? what is the default gateway of your internal hosts?

Can you talk more about your internal connectivity?

Regards,

AM

25 REPLIES

ASA 5505 InterVLAN routing...

Hello John,

Check the following command you have here:

route WIFI 192.168.10.0 255.255.255.0 192.168.0.2 1

That's wrong as 192.168.10.0 is directly connected to the ASA , you should not need to send the packets to the 0.2 device.

Do:

no route WIFI 192.168.10.0 255.255.255.0 192.168.0.2 1

Besides that I do not see any configuration issues,

Let me know how it goes after changing that, if does not work we will move to captures

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: ASA 5505 InterVLAN routing...

Hi,

Could you please provide the resut of these commands?

packet-tracer input House-LAN icmp 192.168.1.x 8 0 192.168.10.x

and vice-versa

packet-tracer input WIFI icmp 192.168.10.x 8 0 192.168.1.x

Also, can you remove both NAT exemptions and create only a single Identity NAT for the House-LAN subnet?

For example,

nat (House-LAN) 0 192.168.1.0 255.255.255.0

Regards,

AM

New Member

Re: ASA 5505 InterVLAN routing...

Thank you Julio and AM

Here is the output:

Packet gets dropped by an implicit rule, "deny all" but I am suppose to  INSPECT icmp according to the global_policy map in place:

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

ciscoasa(config)# packet-tracer input House-LAN icmp 192.168.1.1 8 0 192.168.10.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.10.1    255.255.255.255 identity
             
Phase: 4     
Type: ACCESS-LIST
Subtype:     
Result: DROP 
Config:      
Implicit Rule
Additional Information:
             
Result:      
input-interface: House-LAN
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)# packet-tracer input WIFI icmp 192.168.10.1 8 0 192.168.1.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.1     255.255.255.255 identity
             
Phase: 4     
Type: ACCESS-LIST
Subtype:     
Result: DROP 
Config:      
Implicit Rule
Additional Information:
             
Result:      
input-interface: WIFI
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

New Member

Re: ASA 5505 InterVLAN routing...

Is ICMP considered an IP packet or do I need to allow ICMP as well ?

Super Bronze

ASA 5505 InterVLAN routing...

Hi,

Don't use ASAs interface IP addresses in the "packet-tracer". If you do the "packet-tracer" will always fail. Use some other random address from both of the networks and after that the output should reflect the true situation.

Add yes, IP contains ICMP also.

- Jouni

New Member

ASA 5505 InterVLAN routing...

You are right.

I tried it, and got a lot more results. I will check these out and post them here....

thanks !

New Member

Re: ASA 5505 InterVLAN routing...

Yes, when i said run packet tracer, i meant to use the any device address on each VLAN not the ASA interfaces.

Also, i noticed 1 implicit deny on the House-LAN and WIFI beside the permit rule. It should be only one implicit permit rule for each high security level interfaces. The same security traffic also is enabled and traffic should traverse between those interfaces with no problems.

Please run packet tracer again using actual device addresses.

Regards,

AM

New Member

Re: ASA 5505 InterVLAN routing...

Thanks, I found where it is denied, but looking a the config, il looks OK for me.

I stared and compared the 2 networks, it all looks good.

When I ping   192.168.10.12 from 192.168.1.8 all is good.

packet-tracer input house-LAN icmp 192.168.1.8 8 0 192.168.10.12

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.10.0    255.255.255.0   WIFI

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4     
Type: IP-OPTIONS
Subtype:     
Result: ALLOW
Config:      
Additional Information:
             
Phase: 5     
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:      
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
             
Phase: 6     
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:      
Additional Information:
             
Phase: 7     
Type: NAT-EXEMPT
Subtype:     
Result: ALLOW
Config:      
  match ip House-LAN 192.168.1.0 255.255.255.0 WIFI 192.168.10.0 255.255.255.0
    NAT exempt
    translate_hits = 268, untranslate_hits = 99
Additional Information:
             
Phase: 8     
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:      
Additional Information:
             
Phase: 9     
Type: NAT    
Subtype:     
Result: ALLOW
Config:      
nat (House-LAN) 1 0.0.0.0 0.0.0.0
  match ip House-LAN any WIFI any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 57, untranslate_hits = 0
Additional Information:
             
Phase: 10    
Type: NAT    
Subtype: host-limits
Result: ALLOW
Config:      
nat (House-LAN) 1 0.0.0.0 0.0.0.0
  match ip House-LAN any House-LAN any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 7, untranslate_hits = 0
Additional Information:
             
Phase: 11    
Type: NAT    
Subtype: rpf-check
Result: ALLOW
Config:      
nat (WIFI) 1 0.0.0.0 0.0.0.0
  match ip WIFI any House-LAN any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
             
Phase: 12    
Type: NAT    
Subtype: host-limits
Result: ALLOW
Config:      
nat (WIFI) 1 0.0.0.0 0.0.0.0
  match ip WIFI any House-LAN any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
             
Phase: 13    
Type: IP-OPTIONS
Subtype:     
Result: ALLOW
Config:      
Additional Information:
             
Phase: 14    
Type: FLOW-CREATION
Subtype:     
Result: ALLOW
Config:      
Additional Information:
New flow created with id 158286, packet dispatched to next module
             
Result:      
input-interface: House-LAN
input-status: up
input-line-status: up
output-interface: WIFI
output-status: up
output-line-status: up
Action: allow

But when I ping 192.168.1.8 from 192.168.10.12 it fails:

packet-tracer input house-LAN icmp 192.168.10.12 8 0 192.168.1.8

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   House-LAN

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4     
Type: IP-OPTIONS
Subtype:     
Result: ALLOW
Config:      
Additional Information:
             
Phase: 5     
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:      
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
             
Phase: 6     
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:      
Additional Information:
             
Phase: 7     
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:      
  match ip House-LAN 192.168.1.0 255.255.255.0 House-LAN 192.168.10.0 255.255.255.0 -HOUSE-LAN ASSOCIATED WITH 192.168.10.0 ????? This is the problem...

  NAT exempt
    translate_hits = 0, untranslate_hits = 8
Additional Information:
             
Phase: 8     
Type: NAT    
Subtype:     
Result: DROP 
Config:      
nat (House-LAN) 1 0.0.0.0 0.0.0.0
  match ip House-LAN any House-LAN any   ---- what is this ????

dynamic translation to pool 1 (No matching global)
    translate_hits = 8, untranslate_hits = 0
Additional Information:
             
Result:      
input-interface: House-LAN
input-status: up
input-line-status: up
output-interface: House-LAN
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA Version 8.2(1)
!
hostname ciscoasa
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd b9rdqCG21C.trMZp encrypted
names
!
interface Vlan1
nameif House-LAN
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif ISP-OUTSIDE
security-level 0
ip address dhcp
!
interface Vlan12
nameif WIFI
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!            
interface Ethernet0/1
!            
interface Ethernet0/2
!            
interface Ethernet0/3
!            
interface Ethernet0/4
!            
interface Ethernet0/5
switchport access vlan 12
!            
interface Ethernet0/6
!            
interface Ethernet0/7
!            
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list WIFI extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list WIFI extended permit ip 192.168.10.0 255.255.255.0 xx.xx.xx.xx 255.255.255.0
access-list House-LAN extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list House-LAN extended permit ip 192.168.1.0 255.255.255.0 xx.xx.xx.xx 255.255.255.0
access-list ISP-OUTSIDE extended permit ip xx.xx.xx.xx 255.255.255.0 192.168.1.0 255.255.255.0
access-list ISP-OUTSIDE extended permit ip xx.xx.xx.xx 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu House-LAN 1500
mtu ISP-OUTSIDE 1500
mtu WIFI 1500
no failover  
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (ISP-OUTSIDE) 1 interface
nat (House-LAN) 0 access-list House-LAN
nat (House-LAN) 1 0.0.0.0 0.0.0.0
nat (ISP-OUTSIDE) 0 access-list ISP-OUTSIDE
nat (WIFI) 0 access-list WIFI
nat (WIFI) 1 0.0.0.0 0.0.0.0
route ISP-OUTSIDE 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 House-LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 House-LAN
ssh timeout 60
ssh version 2
console timeout 0
dhcp-client client-id interface ISP-OUTSIDE
dhcpd auto_config ISP-OUTSIDE
!            
dhcpd address 192.168.1.5-192.168.1.36 House-LAN
dhcpd dns 24.200.241.37 interface House-LAN
dhcpd domain homelab.com interface House-LAN
dhcpd enable House-LAN
!            
dhcpd address 192.168.10.5-192.168.10.150 WIFI
dhcpd dns 8.8.8.8 interface WIFI
dhcpd domain homelab.com interface WIFI
dhcpd enable WIFI
!            
             
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 66.46.33.9 source ISP-OUTSIDE prefer
webvpn       
username jbachman password tvTwKjq/0Pm2Xeh6 encrypted privilege 15
!            
class-map inspection_default
match default-inspection-traffic
!            
!            
policy-map type inspect dns preset_dns_map
parameters  
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!            
service-policy global_policy global
prompt hostname context
Cryptochecksum:540ec0c8a87fb490bf587e36c6fe792b
: end   

New Member

ASA 5505 InterVLAN routing...

The output and the input are the same interface, that's why the NAT fails translation...

Result:      

input-interface: House-LAN

input-status: up

input-line-status: up

output-interface: House-LAN

output-status: up

output-line-status: up

Action: drop 

Drop-reason: (acl-drop) Flow is denied by configured rule

ASA 5505 InterVLAN routing...

Hello,

Exactly, since the first post we saw that,

But that is because you are doing the packet tracer wrong.

It's packet-tracer input WIFI icmp 192.168.10.12 8 0 192.168.1.8

Please read the following http://www.laguiadelnetworking.com/the-usage-of-the-packet-tracer-feature-on-the-asa/


Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA 5505 InterVLAN routing...

Thanks for the link Julio. Very first time with Packet Tracer....

Well, now with this method, Packet Tracer works, both sides.

Still as I said on my first post, I still canr ping from 192.168.10.12 to 192.168.1.8... Other way works...

I got oneway ping.... I might just format the whole thing....

ASA 5505 InterVLAN routing...

Hello,

Dont do that I bet that if we do captures we will see where the problem is but before providing you the capture syntax.

Can you check if the windows firewall is disabled on both units?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA 5505 InterVLAN routing...

OK, you are correct. I have disable the W7 Firewall on the PC and ping works. Then I have reenabled it and configured a rule to allow ping into the PC. That's weird because I never had problems before I installed the ASA5505, and the ASA should be open for everything between inside interfaces ...

Anyways, pings works, and I have disable W7 firewall to keep on troubleshooting. - (to get it out of the way fro now)

Now I have airvideo running on the PC (using Bonjour!) , and same thing, the airvideo running on the ipad (wifi) on VLAN12 connot connect to the PC on land lan vlan1. So I do have a problem the ASA blocking ports even if I did configure the ASA rules to allow any any between the interfaces...

It is as VLAN routing is actually working, but not enabled for all the L4 potocols and ports betwwen inside interfaces,even if I have opened everything, and all interfaces are at the same security level... Well this CCNA security cert  is giving me good learning challanges...

I am working on this issue now.

New Member

ASA 5505 InterVLAN routing...

Does the global policy applys only for outside interface ?

Or is is also applied  in between interfaces ?

policy-map global_policy
class inspection_default

inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

New Member

Re: ASA 5505 InterVLAN routing...

Really sorry for late reply.

I can see that Windows firewall is the root cause of every host networking issue. I have a long story with it and sometimes it causes frustration especially when your configuration is 100 % correct.

Packet tracer looks good too as expected.

Now, let me clarify that you Do Not need any ACLs to be applied on either House-LAN or WIFI because same security interfaces are by default allowed to access each other without any policy as long as you issue the same-security-traffic command which you already did. Because we used packet tracer on both directions with successful results, then i think we cannot blame the network anymore. So far as i can see, your configuration is correct. We need to focus now on why the ipad device cannot reach any of the VLAN1's device. Because i never use it, i am not sure if the airvideo application supports RTP/RTSP. If this is the case, then we need to classify an RTP traffic in a new class map. But i am not sure yet, let me collect more information about the App. and get back to you.

Global policy is applied globally to all ASA's interfaces.

Regards,

AM

New Member

Re: ASA 5505 InterVLAN routing...

Thanks AM,

Air Video runs on the server, and the APP runs on the iPAD. It is used to stream video over the wifi on the iPAD.

But, I notice no traffic is routed in between VLANs, -execpt for the ping, witch makes me beleive the interfaces are block by a default policy

So does this means I need to delete the ACL I have set up ? I was also told that the

same-security-traffic permit inter-interface same-security-traffic permit intra-interface no longer apply because I am using NAT exempt...

Before I got the ASA on the ISP. I had a consumer Cisco e4200 and airvideo worked  for years. Now that the 2 VLAN are on ASA inside interfaces, it no longer can communicate with anything, and same for SSH, telnet and all programs running on VLAN12 to VLAN 2. (except ping!!).

It might still be the PC that is blocking all the services, but why would it block when the ASA is wide open ? and all works fine with the e4200 ?

I thought it might be a public or private network in the W7 firewall but all firewall is off.

But if you say that Global policy is applied globally to all ASA's interfaces, dont I need to tell the ASA to INSPECT all these services ?(airvideo, TCP, UDP, SSH, TELNET etc.) none of them are define on Global policy...might this be the problem ?

New Member

Re: ASA 5505 InterVLAN routing...

I might go ahead and remove the ACL :


These ACLs are used in nat statements. What i meant are the ACLs that are applied to an interface. So, do not remove them.

I was also told that the 

same-security-traffic permit inter-interface same-security-traffic permit intra-interface no longer apply because I am using NAT exempt...

I think this is not true, It is working with me in 8.4. I think you need to enable nat-control in 8.2 to allow this.


But if you say that Global policy is applied globally to all ASA's interfaces, dont I need to tell the ASA to INSPECT all these services ?(airvideo, TCP, UDP, SSH, TELNET etc.) none of them are define on Global policy...might this be the problem ?

The Global policy already defines 15 application layer protocols.

Regards,

AM

New Member

Re: ASA 5505 InterVLAN routing...

John,

I tested everything in my lab using version 8.0,  configured the inside and DMZ interfaces with same security interface,  configured same-security-traffic command and all are working fine.

Let  me ask you, are you using a router or unmanaged switch behind the ASA's  inside interface? what is the default gateway of your internal hosts?

Can you talk more about your internal connectivity?

Regards,

AM

New Member

Re: ASA 5505 InterVLAN routing...

I do have a e4200 as an AP for my WIFI on 192.168.10.0

And my ASA is connected to that e4200... The devices gets the DGW 192.168.10.1, and it is the actual VLAN 12 ASA interface address..The actual IP of the e4200 is 192.168.10.2

I will geive this a try....

hostname(config)# dhcpd option 3 ip gateway_ip

 

If you do not use the DHCP option 3 to define the default gateway, DHCP clients use the IP address of the management interface. The management interface does not route traffic

New Member

Re: ASA 5505 InterVLAN routing...

What about the House-LAN?

New Member

ASA 5505 InterVLAN routing...

yes, it also gave the WIFI  DGW to the house-lan VLAN !!!

still looking.... But I am close.

New Member

Re: ASA 5505 InterVLAN routing...

Ok, make sure that all default gateway information is correct.

Hosts in VLAN12 should have 192.168.10.1 as their DGW

Hosts in VLAN1 should have 192.168.1.1 as their DGW

I also would recommend to pickup a single device in each VLAN and assign them a static IP configuration just for testing to clear all doubts.

Another important recommendation, try to use another VLAN rather than VLAN1 (i.e VLAN100) as VLAN1 is sometimes used by ASA for control traffic such as VTP, PAgP,LACP,..etc and it shouldn't be used by user traffic.

Regards,

AM

New Member

Re: ASA 5505 InterVLAN routing...

Ok,

there is no way to change the DGW on the dhcpd. It will always take the interface IP address as it's DGW

The thing is I am using a e4200 as an AP to connect to WIFI, and even if I have disabled the firewwall in it, it is sitting  between the wifi devices and the ASA. Since the Cisco e4200 Yellow (internet) port are not bridged with the BLUE (device) ports I have to connect the ASA and the devices (lan and wifi) all on the BLUE ports... I think this is the root of the problem. The e4200 even if it gives me access to Internet, it can not route the other services thru it.... (ssh, airvideo, telnet etc.)

I will to connect a PC directly on the ASA on VLAN12, to see if I can SSH thru the ASA on VLAN1 -bypassing the AP

I will also try  using VLAN 100 instead.

New Member

Re: ASA 5505 InterVLAN routing...

Got it working.

Had a bad route and the ASA, had to setup the e4200 as bridged network. With the new fireware, it is possibe to assign an IP to the e4200 and set up as 100% AP, witch bypasses de firewall. (even if the firewall was off in reoute mode)

Thanks to all here, AM. Julio, Jouni and all that really helped in poking my ASA.

I'll keep on studing and getting my 5th Cisco cert..

John Bachman.

New Member

Re: ASA 5505 InterVLAN routing...

Glad to hear that it's working with you.

Please feel free to ask any questions at any time.

Regards,

AM

1414
Views
0
Helpful
25
Replies