09-12-2013 10:08 AM - edited 03-11-2019 07:37 PM
Hi Everybody
I am new to ASA, we have ASA 5505 with Security Plus license. Please see attachment for Configuration. I am trying to do is route from interface (Vlan 2 - 192.168.1.0 inside) to Internal_LAN (vlan 10 -172.168.1.0) and vice versa
would it be possible to have an intervlan routing where in both subnet could reach each other?
I would thankful for any support
thanks!
Solved! Go to Solution.
09-12-2013 10:20 AM
Hello,
Add the following:
static (inside,Internal_LAN) 192.168.1.0 192.168.1.0
static (Internal_LAN,Inside) 172.168.1.0 172.168.1.0
fixup protocol icmp
Then test and if it does not work,provide the following outputs
packet-tracer input inside Inside icmp 192.168.1.10 8 0 172.168.1.10
packet-tracer input Internal_Lan icmp 172.168.1.10 8 0 192.168.1.10
Provide the entire outputs of both packet tracers.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-12-2013 10:20 AM
Hello,
Add the following:
static (inside,Internal_LAN) 192.168.1.0 192.168.1.0
static (Internal_LAN,Inside) 172.168.1.0 172.168.1.0
fixup protocol icmp
Then test and if it does not work,provide the following outputs
packet-tracer input inside Inside icmp 192.168.1.10 8 0 172.168.1.10
packet-tracer input Internal_Lan icmp 172.168.1.10 8 0 192.168.1.10
Provide the entire outputs of both packet tracers.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-13-2013 03:53 AM
Hi Julio,
Could you explain why identity NAT would be required as the default is no nat-control and it has not been changed ?
Regards
Alain
Don't forget to rate helpful posts.
09-16-2013 11:26 AM
Hello Alain,
Sure, the thing is that there are already NAT statements in place.
And any packets going from inside to X interface will match those NAT statements.
So we need a way to let the ASA know we want that traffic not to translate itself when going to the other subnets.
We could use a NAT 0 with ACL or Static NAT.
Do you follow me?
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-17-2013 01:34 AM
Hi Julio,
I know about identity NAT and NAT exemption but this is only needed when NAT control is enabled(NAT enforced), but the default is no nat-control so no need for identity nat here,am I completely wrong or is there something I am missing ?
Regards
Alain
Don't forget to rate helpful posts.
09-16-2013 06:23 AM
I syslog i have seen this error
Teardown ICMP connection for faddr 192.168.1.160/10 gaddr 172.168.1.1/0 laddr 172.168.1.1/0
09-16-2013 11:27 AM
Hello Macboy,
I am still waiting from the outputs I request,
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-16-2013 12:04 PM
when i run this the follwoing command packet-tracer input inside Inside icmp 192.168.1.10 8 0 172.168.1.10
i gets the following error
packet-tracer input inside Inside icmp 192.168.1.10 8 0 172.168.1.10
^
ERROR: % Invalid input detected at '^' marker.
packet-tracer input inside Inside icmp 192.168.1.10 8 0 172.168.1.10
^
ERROR: % Invalid input detected at '^' marker.
09-16-2013 12:35 PM
Hello Macboy,
I am sorry,
I did a typo
Should be
packet-tracer input inside icmp 192.168.1.10 8 0 172.168.1.10
packet-tracer input Internal_Lan icmp 172.168.1.10 8 0 192.168.1.10
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-16-2013 12:56 PM
Hi
Here is the result, I appreciate your help.
Result of the command: "packet-tracer input inside icmp 192.168.1.10 8 0 172.168.1.10"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.168.1.0 255.255.255.0 Internal_LAN
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in Inside_Subnet 255.255.255.0 inside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,Internal_LAN) Inside_Subnet Inside_Subnet netmask 255.255.255.0
match ip inside Inside_Subnet 255.255.255.0 Internal_LAN any
static translation to Inside_Subnet
translate_hits = 2, untranslate_hits = 1
Additional Information:
Static translate Inside_Subnet/0 to Inside_Subnet/0 using netmask 255.255.255.0
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,vpnnet) 192.168.3.80 JPLIS1 netmask 255.255.255.255 dns
match ip inside host JPLIS1 vpnnet any
static translation to 192.168.3.80
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 159697, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Result of the command: "packet-tracer input Internal_Lan icmp 172.168.1.10 8 0 192.168.1.10"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,Internal_LAN) Inside_Subnet Inside_Subnet netmask 255.255.255.0
match ip inside Inside_Subnet 255.255.255.0 Internal_LAN any
static translation to Inside_Subnet
translate_hits = 2, untranslate_hits = 2
Additional Information:
NAT divert to egress interface inside
Untranslate Inside_Subnet/0 to Inside_Subnet/0 using netmask 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,Internal_LAN) Inside_Subnet Inside_Subnet netmask 255.255.255.0
match ip inside Inside_Subnet 255.255.255.0 Internal_LAN any
static translation to Inside_Subnet
translate_hits = 2, untranslate_hits = 2
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,vpnnet) 192.168.3.80 JPLIS1 netmask 255.255.255.255 dns
match ip inside host JPLIS1 vpnnet any
static translation to 192.168.3.80
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 160881, packet dispatched to next module
Result:
input-interface: Internal_LAN
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
09-16-2013 02:14 PM
Hello Macboy,
Well the packet-tracer shows everything up and running from the ASA perspective.
Can you try the following:
1) Add the following commands (The X are the IP addresses of the Pc's you will use to send the ICMP traffic)
cap capin interface inside match icmp host 192.168.1.x host 172.168.1.x
cap capout interface Internal_Lan match icmp host 192.168.1.x host 172.168.1.x
cap asp type asp-drop all circular-buffer
2) ping from a host on the Inside interface to an internal Lan host
3) After the ping share the following
show cap capin
show cap capout
show cap asp | include 192.168.1.x
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-19-2013 10:48 AM
Thanks for the proffessional support. it works after adding static you suggested earlier. i found the problem on switch side which was not correctly trunked with new vlan. Now only thing is that with new vlan 172.168.1.0 i cannot get the internet access. do i need to add static (internal_lan, outside) too?
I will appreiciate you feed back.
09-20-2013 10:43 AM
I am getting this message Teardown TCP connection 1551763 for outside:95.211.37.198/80 to Internal_LAN:172.168.1.68/1655 duration 0:00:00 bytes 0 TCP Reset-O |
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: