cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
375
Views
0
Helpful
5
Replies

ASA5505 LAN communication trouble

maver1ck4000
Level 1
Level 1

Hello, I am the admin for a small company, we host about 20 servers for development and internal applications, and 4 servers for web hosting and external application hosting for clients. I started here two years ago and when I started we had one server and hardly any networking equipment at all. I was pretty new to Cisco and after talking to some reps they talked us in to getting an ASA5505 instead of a router. I have enjoyed learning about this device over the past year, but it's not exactly a perfect fit, I think what we really needed was a true router but I have made it work thus far. Since we have started growing and adding servers so quickly we have moved to a larger office, and now I have the task of splitting the network and organizing everything for further growth. I thought this would be a simple task but with the ASA I have not been able to get my networks to talk to each other correctly. What I want to do is pretty straight forward but I have no access to a true router, nor do I have any layer 3 swiches/managed switches, just plain ole dummy switches. Right now the ASA is handling all routing and VPN traffic and with out having to spend any money, I would like to split up my networks. I'm not very well versed in this area, I don't understand every aspect of subnetting but reading about it hasn't really helped me much either.

What I want to do is, with out using a VLAN, I have 10.0.0.0 network which is working fine, 10.0.1.0 is VPN and is also working fine, but I want to add 10.0.2.0 and 3 4 and 5 and so on as I need them. I have been able to add these, and get everything to work, but for some reason I cannot access any of these networks from the 10.0.0.0 network, which might not be a big deal until I start moving things around, then it's going to be a head ache. I am able to get on the internet with my test machines, I am able to access servers and other resources on the 10.0.0.0 network from these, except my domain controller, I have not been able to get any machines to join the domain on 10.0.0.0 yet. However I also cannot RDP to any server on the 10.0.5.0 network from the 10.0.0.0 It is resolving names from WINS, and things like that, but still a few things that I'm missing. I have attached my current config and will be working on this until I get it figured out, please any help you can give would be appreciated.

5 Replies 5

Kureli Sankar
Cisco Employee
Cisco Employee

Your inside network according to the firewall config is 10.0.0.0/16 or is it supposed to be /24?

Meaning

10.0.2.0/16

10.0.3.0/16

10.0.4.0/16

10.0.5.0/16

All belong in the same subnet.

There is no need for routes and there is no need for static(inside,inside) either.

You will have one big flat layer 2 network.

You mention all the switches are just layer 2 switches if so, which device is 10.0.1.1?

That device is supposed to do the routing.

The topology should look like this.

Inside-Network2

|

Inside networks1--Router--ASA--Internet

|

Inside-Network3

There is no need for the inside networks to come to the ASA to talk among themselves. The default route on the router should point to the ASA's inside interface IP address for all internet destined traffic.

The ASA isn't a true router, but it's all I've got since I was told it would work for us.

Inside Network2

|

Inside Network1--ASA--Internet

|

Inside Network3

10.0.1.1 is the VPN gateway I assume, VPN users are able to use everything like normal. They connect and are assigned a 10.0.1.0 IP using DHCP.

Everything should be /24, I was messing around with some settings not sure if I changed that or not. I can try to remove all that stuff from the ASA but with all the traffic going through there, it seems like I need some kind of rules for it to route to the correct place. And how am I suppose to get up gateways addresses, it shouldn't be this hard.

Pls. refer this link below:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1056883

What license do you have?

You could configure vlans for each of your inside network.

You can configure them with same security level and allow communication with the same-security-traffic permit inter-interface command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814

With this configuration each of the networks will point their respective vlan interface ip address configured on your 5505 for their gateway.

I see now, I knew there had to be a way. That got me a step closer I think, but I am still unable to communicate from 10.0.0.0 to 10.0.5.0 networks, I'm getting different errors depending on what I try. One is a portmap translation creation failed, then when I add NAT rules I still get a SYN timeout. If I add a dynamic rule I get a NAT error like nothing exists.

interface vlan 3

nameif servers

security-level 100

ip address 10.0.5.1 255.255.255.0

interface ethernet0/1

switchport trunk native vlan 1

switchport trunk allowed vlan 1,3

switchport mode trunk

I added this to my config, I have licenses for 8 Trunks, and 20 Vlans, and unlimited DMZ.

Make sure the hosts behind vlan1 can ping the vlan1 IP address on the ASA and the hosts behind vlan3 can ping the vlan3 interface ip address.

Then, try to ping vlan3 hosts from vlan1 hosts.

syntimeout means that the host on the other side is not responding or its response is not arriving on the host that sent the request.

At this point you need to start collecting captures on both the interfaces to see if the packets are ingressing and egressing the appropriate interfaces.

If you are running 7.2.4 and above code you can use the match command in the capture.

cap capin int inside match ip host 10.10.5.x any

cap capdmz int dmz match ip host 10.10.10.5.x

sh cap capin

sh cap capdmz

you can clear them by issuing

clear cap capin

clear cap capdmz

Do simple ping test before trying tcp flow. To make it simpler first try one interface at 100 level security and the other like 50 or 60.

Good luck.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: