Solved: Re: Can't get traffic flowing between VLANs on an ASA 5505

timschwartz1 · ‎08-21-2012

I've got an ASA 5505 with the Security Plus license that I'm trying to configure.

So far I have setup NATing on two VLANs, one called 16jda (VLAN 16 - 10.16.2.0/24) and one called 16jdc (VLAN 11 - 10.105.11.0/24).

From each subnet I am able to connect to the internet, but I need these subnets to also be able to talk to each other.

I have each VLAN interface at security level 100 and enabled "same-security-traffic permit inter-interface", and I have setup static NAT mappings between the two subnets, but they still can't communicate.

When I try to ping there is no reply and the only log message is:

6 Aug 21 2012 09:00:54 302020 10.16.2.10 23336 10.105.11.6 0 Built inbound ICMP connection for faddr 10.16.2.10/23336 gaddr 10.105.11.6/0 laddr 10.105.11.6/0

I have attached a copy of the router config.

Ramraj Sivagnanam Sivajanam · ‎08-22-2012

Hi Bro

I know your problem and I know exactly how to solve it too. You could refer to https://supportforums.cisco.com/message/3714412#3714412 for further details.

Moving forward, this is what you’re gonna paste in your FW. This should work like a charm.

!

access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.105.11.0 255.255.255.0

access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.16.2.0 255.255.255.0

access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.1.0 255.255.255.0

access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.11.0 255.255.255.0

access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.105.1.0 255.255.255.0

access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.16.2.0 255.255.255.0

!

nat (inside) 0 access-list from-inside

nat (16jdc) 0 access-list from-16jdc

nat (16jda) 0 access-list from-16jda

!

clear xlate

!

nat (inside) 1 10.105.1.0 255.255.255.0 <-- You forgot this!!

!

Basically, when inside wants to communicate with the other interfaces bearing security-level 100 e.g. 16jda or 16jdc or vice-versa, you’ll need to enable “NAT Exemption” i.e. nat (nameif) 0 . I know you have already enabled the same-security permit inter-interface command, but this command becomes useless once you’ve enable dynamic nat on one of those interfaces. It’s as if the same-security traffic command wasn't even entered in the first place. Hence, the Cisco ASA is behaving as expected as per Cisco's documentation. For further details on this, you could refer to the URLs below;

https://supportforums.cisco.com/thread/223898

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Julio Carvajal · ‎08-21-2012

Hello Tim,

On a trunk is the following :

"same-security-traffic permit intra-interface"

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

timschwartz1 · ‎08-21-2012

>On a trunk is the following :

>"same-security-traffic permit intra-interface"

Thank you for the suggestion, but that didn't work.

Julio Carvajal · ‎08-21-2012

Hello Tim,

As you have changed your config, if you want help from us you will need to attach it or post it.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

haider.rizwan · ‎01-28-2016

Hi,

I have ASA 5505 with 3 VLANs but they are unable to communicate. please advise.

following is the configuration.

HAWK-ASA# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname HAWK-ASA
domain-name hsmea.com
enable password A4KROCQZQWlF.ct5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description WAN OUTSIDE
switchport access vlan 2
!
interface Ethernet0/1
description LAN INSIDE
!
interface Ethernet0/2
description Servers-Vlan
switchport access vlan 10
!
interface Ethernet0/3
description Voice Gateway 2811
switchport access vlan 10
shutdown
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
description OUTSIDE INTERFACE PPPOE
nameif outside
security-level 0
pppoe client vpdn group hawksol
ip address pppoe setroute
!
interface Vlan10
no forward interface Vlan1
nameif DMZ
security-level 100
ip address 10.172.192.254 255.255.255.0
!
ftp mode passive
clock timezone GST 4
dns server-group DefaultDNS
domain-name hsmea.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network HAWK_BURDUBAI_LAN
network-object 192.168.172.0 255.255.255.0
object-group network HAWK_HQ_LAN
network-object 192.168.1.0 255.255.255.0
access-list HAWKSOL_VPN_TRAFFIC extended permit ip 192.168.172.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NO-NAT-TRAFFIC extended permit ip 192.168.172.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit icmp any any
access-list LANtoDMZ extended permit ip 192.168.1.0 255.255.255.0 10.172.192.0 255.255.255.0
access-list DMZtoLAN extended permit ip 10.172.192.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list LANtoDMZ
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZtoLAN
static (inside,outside) tcp interface 3389 192.168.1.110 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP 1 match address HAWKSOL_VPN_TRAFFIC
crypto map OUTSIDE_MAP 1 set pfs
crypto map OUTSIDE_MAP 1 set peer 86.96.28.55
crypto map OUTSIDE_MAP 1 set transform-set MYSET
crypto map OUTSIDE_MAP interface outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group hawksol request dialout pppoe
vpdn group hawksol localname nh1304
vpdn group hawksol ppp authentication pap
vpdn username nh1304 password *****
dhcpd dns 8.8.8.8
dhcpd auto_config outside
dhcpd option 150 ip 10.172.192.1
!
dhcpd address 192.168.1.50-192.168.1.80 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.138.141.172 source outside
webvpn
username admin password FSSr.BWCYVdYyR3l encrypted privilege 15
tunnel-group HAWKSOL-BURDUBAI-HQ-VPN type ipsec-l2l
tunnel-group HAWKSOL-BURDUBAI-HQ-VPN ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:15b8c30eecfa8f169bc7c2d0e706d255
: end
ASA#

Ramraj Sivagnanam Sivajanam · ‎08-21-2012

Hi Bro

Please do this, and let me know how it goes

config t

clear configure access-list acl

access-list inside permit ip any any
access-list outside permit ip any any
access-list 16jda permit ip any any
access-list 16jdc permit ip any any

access-group 16jdc in interface 16jdc
access-group 16jda in interface 16jda
access-group outside in interface outside
access-group inside in interface inside

no access-list no-nat extended permit ip 10.105.0.0 255.255.0.0 10.16.0.0 255.255.0.0
no access-list no-nat extended permit ip 10.16.0.0 255.255.0.0 10.105.0.0 255.255.0.0

no nat (16jdc) 0 access-list no-nat
no nat (16jdc) 1 access-list acl
no nat (16jda) 0 access-list no-nat
no nat (16jda) 1 access-list acl

no static (16jdc,16jda) 10.105.11.0 10.105.11.0 netmask 255.255.255.0
no static (16jda,16jdc) 10.16.2.0 10.16.2.0 netmask 255.255.255.0

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

timschwartz1 · ‎08-21-2012

Thank you,

I tried making these changes, but it stil doesn't work.

When I run the command "ping 16jda 10.105.11.6" on the firewall I get this message in the log.

6

Aug 21 2012

17:22:01

110003

10.16.2.1

0

10.105.11.6

0

Routing failed to locate next hop for icmp from NP Identity Ifc:10.16.2.1/0 to 16jda:10.105.11.6/0

Ramraj Sivagnanam Sivajanam · ‎08-21-2012

Can you paste your latest config here, so that everyone here can assist you

Warm regards,
Ramraj Sivagnanam Sivajanam

timschwartz1 · ‎08-22-2012

Here is the current config:

Ramraj Sivagnanam Sivajanam · ‎08-22-2012

Hi Bro

I know your problem and I know exactly how to solve it too. You could refer to https://supportforums.cisco.com/message/3714412#3714412 for further details.

Moving forward, this is what you’re gonna paste in your FW. This should work like a charm.

!

access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.105.11.0 255.255.255.0

access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.16.2.0 255.255.255.0

access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.1.0 255.255.255.0

access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.11.0 255.255.255.0

access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.105.1.0 255.255.255.0

access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.16.2.0 255.255.255.0

!

nat (inside) 0 access-list from-inside

nat (16jdc) 0 access-list from-16jdc

nat (16jda) 0 access-list from-16jda

!

clear xlate

!

nat (inside) 1 10.105.1.0 255.255.255.0 <-- You forgot this!!

!

Basically, when inside wants to communicate with the other interfaces bearing security-level 100 e.g. 16jda or 16jdc or vice-versa, you’ll need to enable “NAT Exemption” i.e. nat (nameif) 0 . I know you have already enabled the same-security permit inter-interface command, but this command becomes useless once you’ve enable dynamic nat on one of those interfaces. It’s as if the same-security traffic command wasn't even entered in the first place. Hence, the Cisco ASA is behaving as expected as per Cisco's documentation. For further details on this, you could refer to the URLs below;

https://supportforums.cisco.com/thread/223898

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530

Warm regards,
Ramraj Sivagnanam Sivajanam

timschwartz1 · ‎08-22-2012

Unfortunately that did not make it work.

ping 16jda 10.105.11.6 still gives the following error:

6|Aug 22 2012 06:55:23|110003: Routing failed to locate next hop for icmp from NP Identity Ifc:10.16.2.1/0 to 16jda:10.105.11.6/0

Also, for some reason, the ASDM java app freezes at the "Discovering Device Version..." stage when I try to open it. I can still ssh in though.

I have attached the current config.

Ramraj Sivagnanam Sivajanam · ‎08-22-2012

Your config looks good to me. Can you confirm all those devices in inside, 16jda and 16jdc can access the internet?

Warm regards,
Ramraj Sivagnanam Sivajanam

timschwartz1 · ‎08-22-2012

I just checked the test device in VLAN 11 and realized that it did not have a default gateway set.

The changes you made work, thanks for the help.