04-28-2010 01:38 AM - edited 03-11-2019 10:38 AM
Hi, thanks you in advance for your help
( sorry for the mistakes in he text)
I have a problem since 3 weeks with my FW ASA5510,
At the begining, i will have a network on one VLAN, the default VLAN, but for increase the broadband, i will make 2 VLANs.
( i have a Allied Telesyn 8326 switch)
I have configurated the firewall, the vlans have internet but it's impossible to communicate with others vlans ( i have kept the default vlan for my network, but i have seen that it's not good, i'm aright? )
I use ASDM and the integreted Packet tracer, and when i make a test of traffic, the paquets stop cause to the ACLs, but i have on all VLAN intefaces:
acces-list VLAN_X_access in extend permit ip any any ( configuration "in" )
I don't know why the traffic is not forwarded. I have put a lower security-level(50) on the VLAN interfaces.
What is the problem??
PS: for help himself i have seen this https://supportforums.cisco.com/message/3051647#3051647 , but anything works.
thanks again
Solved! Go to Solution.
04-28-2010 05:26 AM
Hi,
It seems you want all the vlans to communicate with each other. So, I assume that you want the inside, VLAN_10 and VLAN_20 to communicate with each other. Follwoing are the commands required:
static (Inside,VLAN_10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,VLAN_20) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (VLAN_20,VLAN_10) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (VLAN_10,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
same-security-tarffic permit inter-interface
HTH
Regards,
Ashu
04-28-2010 04:26 AM
Can you share the following configuration:
sh run int
sh run static
sh run nat
sh run global
And any access-list which is associated with the above NAT statement if any. Thanks.
04-28-2010 05:15 AM
TECNOASA5510# sh run int
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address X.X.X.117 255.255.255.248
ospf cost 10
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.2.120 255.255.255.0
ospf cost 10
!
interface Ethernet0/1.10
description VLAN_Reseau_Wifi
vlan 10
nameif VLAN_10
security-level 50
ip address 192.168.3.10 255.255.255.0
ospf cost 10
!
interface Ethernet0/1.20
vlan 20
nameif VLAN_20
security-level 50
ip address 192.168.4.10 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
nameif DMZ
security-level 50
ip address 10.0.10.20 255.255.255.0
ospf cost 10
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
TECNOASA5510# sh run static
static (Inside,Outside) COURRIER.TECNOMA.COM SERVEUR2003 netmask 255.255.255.255
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
TECNOASA5510# sh run nat
nat (Outside) 101 10.0.20.0 255.255.255.0
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (VLAN_10) 101 192.168.3.0 255.255.255.0
nat (VLAN_20) 101 192.168.4.0 255.255.255.0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
TECNOASA5510# sh run global
global (Outside) 101 interface
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
TECNOASA5510# sh run access-list
access-list Outside_access_in extended permit tcp any host COURRIER.TECNOMA.COM object-group DM_INLINE_TCP_1
access-list Outside_access_in extended permit tcp SMTP-ORANGE 255.255.252.0 host COURRIER.TECNOMA.COM eq smtp
access-list Outside_access_in remark management port 25
access-list Outside_access_in extended permit tcp any any eq smtp
access-list VPNCLIENT_splitTunnelAcl standard permit any
access-list Inside_nat0_outbound extended permit ip any 10.0.20.0 255.255.255.192
access-list Inside_access_in remark management port 25
access-list Inside_access_in extended deny tcp any any eq smtp inactive
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit object-group TCPUDP any any inactive
access-list VLAN_10_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list VLAN_20_access_in extended permit ip 192.168.4.0 255.255.255.0 any
access-list out_access_in extended permit ip any 192.168.4.0 255.255.255.0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
TECNOASA5510# sh run access-group
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group VLAN_10_access_in in interface VLAN_10
access-group VLAN_20_access_in in interface VLAN_20
04-28-2010 05:23 AM
I assume that you would like to communicate between VLAN_Reseau_Wifi and VLAN_20 interfaces?
If that is the case, then you would need to configure the following:
same-security-traffic permit inter-interface
static (VLAN_Reseau_Wifi,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
Hope that helps.
04-28-2010 05:26 AM
Hi,
It seems you want all the vlans to communicate with each other. So, I assume that you want the inside, VLAN_10 and VLAN_20 to communicate with each other. Follwoing are the commands required:
static (Inside,VLAN_10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,VLAN_20) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (VLAN_20,VLAN_10) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (VLAN_10,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
same-security-tarffic permit inter-interface
HTH
Regards,
Ashu
04-28-2010 05:46 AM
Thanks for your answers,
Just, VLAN 10 is for the wifi network, but it must be separate of the the others networks ( cause it's a free access point and i don't want that everyone can see the data who are on the private lan) that's why, for this VLAN, the problem is the solution ^^.
And Inside is the VLAN1, and i just want VLAN20 can communicate with Inside ( VLAN1).
I will try the configuration and i give you the result.
04-28-2010 05:49 AM
If you just want vlan 20 to communicate with inside, then here is the only static statement required:
static (inside,VLAN_20) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
04-28-2010 06:08 AM
i have enter all commands for make a test, but it's not working, it's impossible to ping the interface from VLAN_20 or an other
TECNOASA5510# sh run sta
static (Inside,Outside) COURRIER.TECNOMA.COM SERVEUR2003 netmask 255.255.255.255
static (Inside,VLAN_20) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,VLAN_10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (VLAN_20,VLAN_10) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (VLAN_10,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
Maybe it's a probleme with ACL or the Dynamic NAT ?
04-28-2010 06:17 AM
Hi,
If you want only inside to communicate with VLAN_20, then do the following:
no static (Inside,VLAN_10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
no static (VLAN_20,VLAN_10) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
no static (VLAN_10,VLAN_20) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
clear xlate
clear local
Try to ping after that, and if it still fails, send me the output of the following:
packet-tracer input Inside icmp 192.168.2.10 0 8 192.168.4.10 detailed
Regards,
Ashu
04-28-2010 06:29 AM
It work !!
thank you for your answers,
But it's really strange: i can ping a computer in an other VLAN or Inside, but i can't ping the interface, i can't connect to the router from a VLAN ...
04-28-2010 06:32 AM
Hi,
Yes, thats by design. If you are sitting on inside then you can ping and access any other device sitting behind any other interface (for e.g VLAN_10). However, you CANNOT ping/telnet/ssh/asdm to the interface ip of VLAN_10 if you are coming from inside. That's by design.
HTH
Regrads,
Ashu
04-28-2010 06:35 AM
Ok, thanks
I can continuate my work now.
Thanks a lot.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: