cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4755
Views
6
Helpful
12
Replies

CISCO ASA 5505 Routing between VLANs

macboy276
Level 1
Level 1

Hi Everybody


I am new to ASA, we have ASA 5505 with Security Plus license.  Please see attachment for Configuration. I am trying to do is route from interface (Vlan 2 - 192.168.1.0 inside) to Internal_LAN (vlan 10 -172.168.1.0) and vice versa

would it be possible to have an intervlan routing where in both subnet could reach each other?

I would thankful for any support


thanks!

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Add the following:

static (inside,Internal_LAN) 192.168.1.0 192.168.1.0

static (Internal_LAN,Inside) 172.168.1.0 172.168.1.0

fixup protocol icmp

Then test and if it does not work,provide the following outputs

packet-tracer input inside Inside icmp 192.168.1.10 8 0 172.168.1.10

packet-tracer input Internal_Lan icmp 172.168.1.10 8 0 192.168.1.10

Provide the entire outputs of both packet tracers.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

12 Replies 12

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Add the following:

static (inside,Internal_LAN) 192.168.1.0 192.168.1.0

static (Internal_LAN,Inside) 172.168.1.0 172.168.1.0

fixup protocol icmp

Then test and if it does not work,provide the following outputs

packet-tracer input inside Inside icmp 192.168.1.10 8 0 172.168.1.10

packet-tracer input Internal_Lan icmp 172.168.1.10 8 0 192.168.1.10

Provide the entire outputs of both packet tracers.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Could you explain why identity NAT would be required as the default is no nat-control and it has not been changed ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hello Alain,

Sure, the thing is that there are already NAT statements in place.

And any packets going from inside to X interface will match those NAT statements.

So we need a way to let the ASA know we want that traffic not to translate itself when going to the other subnets.

We could use a NAT 0 with ACL or Static NAT.

Do you follow me?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

I know about identity NAT and NAT exemption but this is only needed when NAT control is enabled(NAT enforced), but the default is no nat-control so no need for identity nat here,am I completely wrong or is there something I am missing ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

I syslog i have seen this error

Teardown ICMP connection for faddr 192.168.1.160/10 gaddr 172.168.1.1/0 laddr 172.168.1.1/0

Hello Macboy,

I am still waiting from the outputs I request,

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

           

when i run this the follwoing command  packet-tracer input inside Inside icmp 192.168.1.10 8 0 172.168.1.10

i gets the following error

packet-tracer input inside Inside icmp 192.168.1.10 8 0 172.168.1.10

                            ^

ERROR: % Invalid input detected at '^' marker.

packet-tracer input inside Inside icmp 192.168.1.10 8 0 172.168.1.10

                            ^

ERROR: % Invalid input detected at '^' marker.

Hello Macboy,

I am sorry,

I did a typo

Should be

packet-tracer input inside icmp 192.168.1.10 8 0 172.168.1.10

packet-tracer input Internal_Lan icmp 172.168.1.10 8 0 192.168.1.10

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi

Here is the result, I appreciate your help.

Result of the command: "packet-tracer input inside icmp 192.168.1.10 8 0 172.168.1.10"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.168.1.0     255.255.255.0   Internal_LAN

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   Inside_Subnet   255.255.255.0   inside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,Internal_LAN) Inside_Subnet Inside_Subnet netmask 255.255.255.0
  match ip inside Inside_Subnet 255.255.255.0 Internal_LAN any
    static translation to Inside_Subnet
    translate_hits = 2, untranslate_hits = 1
Additional Information:
Static translate Inside_Subnet/0 to Inside_Subnet/0 using netmask 255.255.255.0

Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,vpnnet) 192.168.3.80 JPLIS1 netmask 255.255.255.255 dns
  match ip inside host JPLIS1 vpnnet any
    static translation to 192.168.3.80
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 159697, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Result of the command: "packet-tracer input Internal_Lan icmp 172.168.1.10 8 0 192.168.1.10"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,Internal_LAN) Inside_Subnet Inside_Subnet netmask 255.255.255.0
  match ip inside Inside_Subnet 255.255.255.0 Internal_LAN any
    static translation to Inside_Subnet
    translate_hits = 2, untranslate_hits = 2
Additional Information:
NAT divert to egress interface inside
Untranslate Inside_Subnet/0 to Inside_Subnet/0 using netmask 255.255.255.0

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,Internal_LAN) Inside_Subnet Inside_Subnet netmask 255.255.255.0
  match ip inside Inside_Subnet 255.255.255.0 Internal_LAN any
    static translation to Inside_Subnet
    translate_hits = 2, untranslate_hits = 2
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,vpnnet) 192.168.3.80 JPLIS1 netmask 255.255.255.255 dns
  match ip inside host JPLIS1 vpnnet any
    static translation to 192.168.3.80
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 160881, packet dispatched to next module

Result:
input-interface: Internal_LAN
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Hello Macboy,

Well the packet-tracer shows everything up and running from the ASA perspective.

Can you try the following:

1) Add the following commands (The X are the IP addresses of the Pc's you will use to send the ICMP traffic)

cap capin interface inside match  icmp host 192.168.1.x host 172.168.1.x

cap capout interface  Internal_Lan  match  icmp host 192.168.1.x  host 172.168.1.x

cap asp type asp-drop all circular-buffer

2) ping from a host on the Inside interface to an internal Lan host

3) After the ping share the following

show cap capin

show cap capout

show cap asp | include 192.168.1.x

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for the proffessional support. it works after adding static you suggested earlier. i found the problem on switch side which was not correctly trunked with new vlan. Now only thing is that with new vlan 172.168.1.0 i cannot get the internet access. do i need to add static (internal_lan, outside) too?

I will appreiciate you feed back.








I am getting this message

Teardown TCP connection 1551763 for outside:95.211.37.198/80 to Internal_LAN:172.168.1.68/1655 duration 0:00:00 bytes 0 TCP Reset-O

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: