07-09-2012 09:19 PM - edited 03-11-2019 04:28 PM
Hello,
Ive been readin all over the internet (including this site) trying to figure out if the asa can handle intervlan routing. Im not sure what I am missing on my config to get this to work. Ive read that it can work and Ive read that it cant work. Can someone lead me in the right direction on how to get this to work on my asa 5505.
Here is my setup
Cable Modem ---> ASA (eth0/0)
(eth0/2) -->unmanaged switch for LAN connectivity
(eth0/3) --> Access point for wireless LAN connectivty
My config is attached
What I would like to do is be able to communicate between vlan3(LAN) and vlan4(Wireless LAN)
Whats strange is I can RDP between the two vlans but I cant ping or anything else.
Any help is appreciated!
Solved! Go to Solution.
07-17-2012 10:22 PM
I added the static nat commands below and my Vlans can now talk to the internet.
static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
Are these necessary?
07-17-2012 10:37 PM
This Is weird :-) I've never seen anything like this before. Are you sure you have keyed in the command "no nat-ncontrol"?
07-18-2012 08:02 PM
Bro,
From my understanding the ASA 5505 has nat control disabled by default. I issued the command anyway, and removed the static nat commands but I was still unable to access the internet. The only way internet access will work is if I have the static NAT commands.
Here is the config
ASA Version 8.2(2)
!
hostname FW01
enable password .MlTybcgwEXNF1HM encrypted
passwd .MlTybcgwEXNF1HM encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
description ### Link to Internet ###
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
description ### Link to GUEST WIFI ###
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
description ### Link to INSIDE LAN ###
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan5
description ### Link to INSIDE WIFI ###
nameif insidewifi
security-level 50
ip address 172.16.2.1 255.255.255.0
!
interface Ethernet0/0
description ### Link to Internet ###
switchport access vlan 2
!
interface Ethernet0/1
description ### Link to GUEST WIFI ###
switchport access vlan 3
!
interface Ethernet0/2
description ### Link to INSIDE LAN ###
switchport access vlan 4
!
interface Ethernet0/3
description ### Link to INSIDE WIFI ###
switchport access vlan 5
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
same-security-traffic permit inter-interface
access-list inside extended permit ip any any
access-list outside extended permit ip any any
access-list guest extended permit ip any any
access-list insidewifi extended permit ip any any
pager lines 24
mtu outside 1500
mtu guest 1500
mtu inside 1500
mtu insidewifi 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 1 172.16.2.0 255.255.255.0
access-group guest in interface guest
access-group inside in interface inside
access-group insidewifi in interface insidewifi
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
!
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay setroute guest
dhcprelay setroute insidewifi
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ******** password PNUmTwjDhevRqhkT encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6599fa7a5e196a7dfaa544f75cd64ae7
: end
07-22-2012 01:17 PM
Hi Bro
I believe everything is working fine now. Please do paste your latest config here, so that the others could learn from your experience as well.
P/S: If you think this comment is useful, please do rate them nicely :-)
07-22-2012 01:40 PM
Here is the working config. Many thanks to Ramraj for his assistance!!!!!
ASA Version 8.2(2)
!
hostname FW01
enable password .MlTybcgwEXNF1HM encrypted
passwd .MlTybcgwEXNF1HM encrypted
names
dns-guard
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
description ### Link to Internet ###
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
description ### Link to GUEST WIFI ###
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
description ### Link to INSIDE LAN ###
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan5
description ### Link to INSIDE WIFI ###
nameif insidewifi
security-level 50
ip address 172.16.2.1 255.255.255.0
!
interface Ethernet0/0
description ### Link to Internet ###
switchport access vlan 2
!
interface Ethernet0/1
description ### Link to GUEST WIFI ###
switchport access vlan 3
!
interface Ethernet0/2
description ### Link to INSIDE LAN ###
switchport access vlan 4
!
interface Ethernet0/3
description ### Link to INSIDE WIFI ###
switchport access vlan 5
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
banner exec
banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********
banner exec *
banner exec * This system is for the use of authorized users only.
banner exec * Individuals using this system are subject to having all of their
banner exec * activities on this system monitored and recorded by system
banner exec * personnel.
banner exec *
banner exec * Anyone using this system expressly consents to such monitoring
banner exec * and is advised that if such monitoring reveals possible
banner exec * evidence of criminal activity, system personnel may provide the
banner exec * evidence of such monitoring to law enforcement officials.
banner exec *
banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********
banner exec
banner exec
banner exec Name:.......FW01
banner exec Address:....**********
banner exec Location:...CST -5
ftp mode passive
clock timezone CST -5
same-security-traffic permit inter-interface
access-list inside extended permit ip any any
access-list outside extended permit ip any any
access-list guest extended permit udp any host 172.16.1.102 eq domain
access-list guest extended permit udp any host 172.16.1.103 eq domain
access-list guest extended permit udp any any range bootps tftp
access-list guest extended deny ip any 172.16.1.0 255.255.255.0 log
access-list guest extended deny ip any 172.16.2.0 255.255.255.0 log
access-list guest extended permit ip any any
access-list insidewifi extended permit ip any any
no pager
logging enable
logging list TEST level alerts
logging buffered debugging
logging mail TEST
logging from-address *firewall domain name*
logging recipient-address *enter email address here* level errors
mtu outside 1500
mtu guest 1500
mtu inside 1500
mtu insidewifi 1500
ip audit name FW01-INFO info action alarm
ip audit name FW01-ATTACK attack action alarm reset
ip audit interface outside FW01-INFO
ip audit interface outside FW01-ATTACK
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any guest
icmp permit any inside
icmp permit any insidewifi
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 1 172.16.2.0 255.255.255.0
static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
access-group outside in interface outside
access-group guest in interface guest
access-group inside in interface inside
access-group insidewifi in interface insidewifi
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 1 outside
sysopt noproxyarp outside
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
!
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay setroute guest
dhcprelay setroute insidewifi
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.0.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 211.233.40.78
ntp server 61.153.197.226
ntp server 202.150.213.154 prefer
webvpn
username *username here* password PNUmTwjDhevRqhkT encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 173.194.79.109
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:69ead0d0578ac025238d9a7a25f48f13
07-22-2012 03:03 PM
Hello Garland,
Here is what I want you to try to make this work:
Add the following commands
1- fixup protocol ICMP
2-static (guest,inside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0
Then try to ping from inside to guest, and backwards if that does not work do the following:
packet-tracer input inside icmp 172.16.1.20 8 0 172.16.10.10
packet-tracer input guest icmp 172.16.10.10. 8 0 172.16.1.20
Regards,
The CSC is a free support community, take your time to rate all of the engineers support
10-22-2013 08:03 AM
Hello all,
I am struggling to get intervlan routing to function properly on my ASA 5505. I have a security plus license. The VLANs I am dealing with are inside, Developer, and outside.
interface Ethernet0/0
description outside
switchport access vlan 2
interface Ethernet0/2
description inside
switchport trunk allowed vlan 1,24
interface Ethernet0/6
description Wireless Access Point
switchport trunk allowed vlan 1,24
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/7
description Wireless Access Point
switchport trunk allowed vlan 1,24
switchport trunk native vlan 1
switchport mode trunk
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address nnn.nn.nn.nnn 255.255.255.0
!
interface Vlan24
nameif Developer
security-level 100
ip address 192.168.24.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list acl-inside_dev extended permit ip any any
access-list acl-Developer extended permit ip any any
access-group acl-inside_dev in interface inside
access-group acl-Developer in interface Developer
Thanks,
Shannon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: