cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15421
Views
15
Helpful
21
Replies

Inter VLAN-Routing ASA 5505

Garland Moore
Level 1
Level 1

Hello,

Ive been readin all over the internet (including this site) trying to figure out if the asa can handle intervlan routing. Im not sure what I am missing on my config to get this to work.  Ive read that it can work and Ive read that it cant work.  Can someone lead me in the right direction on how to get this to work on my asa 5505.

Here is my setup

Cable Modem ---> ASA (eth0/0) 

                                   (eth0/2) -->unmanaged switch for LAN connectivity

                                   (eth0/3) --> Access point for wireless LAN connectivty

My config is attached

What I would like to do is be able to communicate between vlan3(LAN) and vlan4(Wireless LAN)

Whats strange is I can RDP between the two vlans but I cant ping or anything else.

Any help is appreciated!

21 Replies 21

I added the static nat commands below and my Vlans can now talk to the internet.

static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

Are these necessary?

This Is weird :-) I've never seen anything like this before. Are you sure you have keyed in the command "no nat-ncontrol"?

Warm regards,
Ramraj Sivagnanam Sivajanam

Bro,

From my understanding the ASA 5505 has nat control disabled by default.  I issued the command anyway, and removed the static nat commands but I was still unable to access the internet. The only way internet access will work is if I have the static NAT commands.

Here is the config

ASA Version 8.2(2)

!

hostname FW01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

description ### Link to Internet ###

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

description ### Link to GUEST WIFI  ###

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

!

interface Vlan4

description ### Link to INSIDE LAN ###

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Vlan5

description ### Link to INSIDE WIFI ###

nameif insidewifi

security-level 50

ip address 172.16.2.1 255.255.255.0

!

interface Ethernet0/0

description ### Link to Internet ###

switchport access vlan 2

!

interface Ethernet0/1

description ### Link to GUEST WIFI  ###

switchport access vlan 3

!

interface Ethernet0/2

description ### Link to INSIDE LAN ###

switchport access vlan 4

!

interface Ethernet0/3

description ### Link to INSIDE WIFI ###

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

same-security-traffic permit inter-interface

access-list inside extended permit ip any any

access-list outside extended permit ip any any

access-list guest extended permit ip any any

access-list insidewifi extended permit ip any any

pager lines 24

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

access-group guest in interface guest

access-group inside in interface inside

access-group insidewifi in interface insidewifi

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

dhcpd ping_timeout 750

!

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay setroute guest

dhcprelay setroute insidewifi

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username ******** password PNUmTwjDhevRqhkT encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6599fa7a5e196a7dfaa544f75cd64ae7

: end

Hi Bro

I believe everything is working fine now. Please do paste your latest config here, so that the others could learn from your experience as well.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

Here is the working config.  Many thanks to Ramraj for his assistance!!!!!

ASA Version 8.2(2)

!

hostname FW01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

dns-guard

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

description ### Link to Internet ###

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

description ### Link to GUEST WIFI  ###

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

!

interface Vlan4

description ### Link to INSIDE LAN ###

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Vlan5

description ### Link to INSIDE WIFI ###

nameif insidewifi

security-level 50

ip address 172.16.2.1 255.255.255.0

!

interface Ethernet0/0

description ### Link to Internet ###

switchport access vlan 2

!

interface Ethernet0/1

description ### Link to GUEST WIFI  ###

switchport access vlan 3

!

interface Ethernet0/2

description ### Link to INSIDE LAN ###

switchport access vlan 4

!

interface Ethernet0/3

description ### Link to INSIDE WIFI ###

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

banner exec

banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********

banner exec *

banner exec *      This system is for the use of authorized users only.

banner exec *      Individuals using this system are subject to having all of their

banner exec *      activities on this system monitored and recorded by system

banner exec *      personnel.

banner exec *

banner exec *      Anyone using this system expressly consents to such monitoring

banner exec *      and is advised that if such monitoring reveals possible

banner exec *      evidence of criminal activity, system personnel may provide the

banner exec *      evidence of such monitoring to law enforcement officials.

banner exec *

banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********

banner exec

banner exec

banner exec Name:.......FW01

banner exec Address:....**********

banner exec Location:...CST -5

ftp mode passive

clock timezone CST -5

same-security-traffic permit inter-interface

access-list inside extended permit ip any any

access-list outside extended permit ip any any

access-list guest extended permit udp any host 172.16.1.102 eq domain

access-list guest extended permit udp any host 172.16.1.103 eq domain

access-list guest extended permit udp any any range bootps tftp

access-list guest extended deny ip any 172.16.1.0 255.255.255.0 log

access-list guest extended deny ip any 172.16.2.0 255.255.255.0 log

access-list guest extended permit ip any any

access-list insidewifi extended permit ip any any

no pager

logging enable

logging list TEST level alerts

logging buffered debugging

logging mail TEST

logging from-address *firewall domain name*

logging recipient-address *enter email address here* level errors

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

ip audit name FW01-INFO info action alarm

ip audit name FW01-ATTACK attack action alarm reset

ip audit interface outside FW01-INFO

ip audit interface outside FW01-ATTACK

ip audit signature 2000 disable

ip audit signature 2001 disable

ip audit signature 2004 disable

ip audit signature 2005 disable

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any guest

icmp permit any inside

icmp permit any insidewifi

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-group outside in interface outside

access-group guest in interface guest

access-group inside in interface inside

access-group insidewifi in interface insidewifi

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

fragment chain 1 outside

sysopt noproxyarp outside

service resetoutside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

dhcpd ping_timeout 750

!

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay setroute guest

dhcprelay setroute insidewifi

dhcprelay timeout 60

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.0.0

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 211.233.40.78

ntp server 61.153.197.226

ntp server 202.150.213.154 prefer

webvpn

username *username here* password PNUmTwjDhevRqhkT encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

smtp-server 173.194.79.109

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:69ead0d0578ac025238d9a7a25f48f13

Hello Garland,

Here is what I want you to try to make this work:

Add the following commands

1- fixup protocol ICMP

2-static (guest,inside) 172.16.10.0  172.16.10.0 netmask 255.255.255.0

Then try to ping from inside to guest, and backwards if that does not work do the following:

packet-tracer input inside icmp 172.16.1.20 8 0 172.16.10.10

packet-tracer input guest icmp 172.16.10.10. 8 0 172.16.1.20

Regards,

The CSC is a free support community, take your time to rate all of the engineers support

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mach825
Level 1
Level 1

Hello all,

I am struggling to get intervlan routing to function properly on my ASA 5505.  I have a security plus license.  The VLANs I am dealing with are inside, Developer, and outside. 

interface Ethernet0/0

description outside

switchport access vlan 2

interface Ethernet0/2

description inside

switchport trunk allowed vlan 1,24

interface Ethernet0/6

description Wireless Access Point

switchport trunk allowed vlan 1,24

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/7

description Wireless Access Point

switchport trunk allowed vlan 1,24

switchport trunk native vlan 1

switchport mode trunk

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address nnn.nn.nn.nnn 255.255.255.0

!

interface Vlan24

nameif Developer

security-level 100

ip address 192.168.24.1 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

access-list acl-inside_dev extended permit ip any any

access-list acl-Developer extended permit ip any any

access-group acl-inside_dev in interface inside

access-group acl-Developer in interface Developer

Thanks,

Shannon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: