Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510, problems with ACL on VLAN

Hi, thanks you in advance for your help

( sorry for the mistakes in he text)

I have a problem since 3 weeks with my FW ASA5510,

At the begining, i will have a network on one VLAN, the default VLAN, but for increase the broadband, i will make 2 VLANs.

( i have a Allied Telesyn 8326 switch)

I have configurated the firewall, the vlans have internet but it's impossible to communicate with others vlans ( i have kept the default vlan for my network, but i have seen that it's not good, i'm aright? )

I use ASDM and the integreted Packet tracer, and when i make a test of traffic, the paquets stop cause to the ACLs, but i have on all VLAN intefaces:

acces-list VLAN_X_access in extend permit ip any any   ( configuration "in" )

I don't know why the traffic is not forwarded. I have put a lower security-level(50) on the  VLAN interfaces.

What is the problem??

PS: for help himself i have seen this https://supportforums.cisco.com/message/3051647#3051647 , but anything works.

thanks again

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ASA 5510, problems with ACL on VLAN

Hi,

It seems you want all the vlans to communicate with each other. So, I assume that you want the inside, VLAN_10 and VLAN_20 to communicate with each other. Follwoing are the commands required:

static (Inside,VLAN_10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,VLAN_20) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (VLAN_20,VLAN_10) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (VLAN_10,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

same-security-tarffic permit inter-interface

HTH

Regards,
Ashu

11 REPLIES
Cisco Employee

Re: ASA 5510, problems with ACL on VLAN

Can you share the following configuration:

sh run int

sh run static

sh run nat

sh run global

And any access-list which is associated with the above NAT statement if any. Thanks.

New Member

Re: ASA 5510, problems with ACL on VLAN

TECNOASA5510# sh run int

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address X.X.X.117 255.255.255.248

ospf cost 10

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.2.120 255.255.255.0

ospf cost 10

!

interface Ethernet0/1.10

description VLAN_Reseau_Wifi

vlan 10

nameif VLAN_10

security-level 50

ip address 192.168.3.10 255.255.255.0

ospf cost 10

!

interface Ethernet0/1.20

vlan 20

nameif VLAN_20

security-level 50

ip address 192.168.4.10 255.255.255.0

ospf cost 10

!

interface Ethernet0/2

shutdown

nameif DMZ

security-level 50

ip address 10.0.10.20 255.255.255.0

ospf cost 10

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

management-only

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TECNOASA5510# sh run static
static (Inside,Outside) COURRIER.TECNOMA.COM SERVEUR2003 netmask 255.255.255.255

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TECNOASA5510# sh run nat
nat (Outside) 101 10.0.20.0 255.255.255.0
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (VLAN_10) 101 192.168.3.0 255.255.255.0
nat (VLAN_20) 101 192.168.4.0 255.255.255.0

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TECNOASA5510# sh run global
global (Outside) 101 interface

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TECNOASA5510# sh run access-list
access-list Outside_access_in extended permit tcp any host COURRIER.TECNOMA.COM object-group DM_INLINE_TCP_1
access-list Outside_access_in extended permit tcp SMTP-ORANGE 255.255.252.0 host COURRIER.TECNOMA.COM eq smtp
access-list Outside_access_in remark management port 25
access-list Outside_access_in extended permit tcp any any eq smtp
access-list VPNCLIENT_splitTunnelAcl standard permit any
access-list Inside_nat0_outbound extended permit ip any 10.0.20.0 255.255.255.192
access-list Inside_access_in remark management port 25
access-list Inside_access_in extended deny tcp any any eq smtp inactive
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit object-group TCPUDP any any inactive
access-list VLAN_10_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list VLAN_20_access_in extended permit ip 192.168.4.0 255.255.255.0 any
access-list out_access_in extended permit ip any 192.168.4.0 255.255.255.0

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TECNOASA5510# sh run access-group
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group VLAN_10_access_in in interface VLAN_10
access-group VLAN_20_access_in in interface VLAN_20

Cisco Employee

Re: ASA 5510, problems with ACL on VLAN

I assume that you would like to communicate between  VLAN_Reseau_Wifi and VLAN_20 interfaces?

If that is the case, then you would need to configure the following:

same-security-traffic permit inter-interface

static (VLAN_Reseau_Wifi,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

Hope that helps.

New Member

Re: ASA 5510, problems with ACL on VLAN

Hi,

It seems you want all the vlans to communicate with each other. So, I assume that you want the inside, VLAN_10 and VLAN_20 to communicate with each other. Follwoing are the commands required:

static (Inside,VLAN_10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,VLAN_20) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (VLAN_20,VLAN_10) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (VLAN_10,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

same-security-tarffic permit inter-interface

HTH

Regards,
Ashu

New Member

Re: ASA 5510, problems with ACL on VLAN

Thanks for your answers,

Just, VLAN 10 is for the wifi network, but it must be separate of the the others networks ( cause it's a free access point and i don't want that everyone can see the data who are on the private lan) that's why, for this VLAN, the problem is the solution ^^.

And  Inside is the VLAN1, and i just want  VLAN20 can communicate with Inside ( VLAN1).

I will try the configuration and i give you the result.

Cisco Employee

Re: ASA 5510, problems with ACL on VLAN

If you just want vlan 20 to communicate with inside, then here is the only static statement required:

static (inside,VLAN_20) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

New Member

Re: ASA 5510, problems with ACL on VLAN

i have enter all commands for make a test, but it's not working, it's impossible to ping the interface from VLAN_20 or an other

TECNOASA5510# sh run sta
static (Inside,Outside) COURRIER.TECNOMA.COM SERVEUR2003 netmask 255.255.255.255
static (Inside,VLAN_20) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,VLAN_10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (VLAN_20,VLAN_10) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (VLAN_10,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

Maybe it's a probleme with ACL or the Dynamic NAT ?

New Member

Re: ASA 5510, problems with ACL on VLAN

Hi,

If you want only inside to communicate with VLAN_20, then do the following:

no static (Inside,VLAN_10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
no static (VLAN_20,VLAN_10) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
no static (VLAN_10,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

clear xlate

clear local

Try to ping after that, and if it still fails, send me the output of the following:

packet-tracer input Inside icmp 192.168.2.10 0 8 192.168.4.10 detailed

Regards,

Ashu

New Member

Re: ASA 5510, problems with ACL on VLAN

It work !!

thank you for your answers,

But it's really strange: i can ping a computer in an other VLAN or Inside, but i can't ping the interface, i can't connect to the router from a VLAN ...

New Member

Re: ASA 5510, problems with ACL on VLAN

Hi,

Yes, thats by design. If you are sitting on inside then you can ping and access any other device sitting behind any other interface (for e.g VLAN_10). However, you CANNOT ping/telnet/ssh/asdm to the interface ip of VLAN_10 if you are coming from inside. That's by design.

HTH

Regrads,

Ashu

New Member

Re: ASA 5510, problems with ACL on VLAN

Ok, thanks

I can continuate my work now.

Thanks a lot.

1483
Views
0
Helpful
11
Replies