Solved: Inter-Vlan Routing

vince1327 · ‎10-09-2013

Hello Everyone,

I'm running into what seems like a simple issue, however I can't seem to figure out the solution. I've got an ASA 5505 with a Sec Plus license. The current setup uses the following two VLANs (inside-data, outside-data) for internet access however we will soon be adding a voip system and i've created the VLANs inside-voip and outside-voip for this. We will eventually be given a static IP for our SIP that will be assigned to outside-voip, however i need inside-data and inside-voip to be able to communicate. I've been researching inter-vlan routing but haven't had any luck making these two talk. Any help or pointers would be greatly appreciated! I've reverted to my previous running configuration and posted my running-config below

Thanks

ASA Version 8.2(5)

!

hostname ASA-5505

enable password *** encrypted

passwd *** encrypted

names

name 111.111.111.199 Webserver description Webserver

name 111.111.111.221 SMTP description Barracuda

name 111.111.111.50 Exchange

name 111.111.111.111 PC-Josh

name 111.111.111.48 BlueIris

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 4

!

interface Ethernet0/2

switchport access vlan 1

!

interface Ethernet0/3

switchport access vlan 1

!

interface Ethernet0/4

switchport access vlan 1

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

switchport access vlan 3

!

interface Ethernet0/7

switchport access vlan 3

!

interface Vlan1

nameif inside-data

security-level 100

ip address 111.111.111.1 255.255.255.0

!

interface Vlan2

nameif outside-data

security-level 0

ip address *.*.*.* 255.255.255.252

!

interface Vlan3

description inside-voip

nameif inside-voip

security-level 100

ip address 111.111.112.1 255.255.255.0

!

interface Vlan4

description outside-voip

nameif outside-voip

security-level 0

ip address dhcp setroute

!

ftp mode passive

clock timezone EST -5

dns domain-lookup inside-data

dns domain-lookup outside-data

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network Webserver

object-group service VNC tcp

port-object eq *

object-group service BlueIris

service-object tcp eq *

access-list acl-outside extended permit tcp any interface outside-data eq www

access-list acl-outside extended permit tcp any interface outside-data eq smtp

access-list acl-outside extended permit tcp any interface outside-data eq imap4

access-list acl-outside extended permit tcp any interface outside-data eq pop3

access-list acl-outside extended permit tcp any interface outside-data object-group VNC

access-list acl-outside extended permit tcp any interface outside-data eq https

access-list acl-outside extended permit object-group BlueIris any interface outside-data

access-list acl-inside extended permit ip any any

access-list inside_nat0_outbound extended permit ip any 111.111.111.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip any 111.111.111.0 255.255.255.192

access-list inside_nat0_outbound extended permit ip any 111.111.111.64 255.255.255.224

access-list Split_Tunnel_List remark Network behind ASA

access-list Split_Tunnel_List standard permit 111.111.111.0 255.255.255.0

pager lines 24

logging enable

logging asdm notifications

mtu inside-data 1500

mtu outside-data 1500

mtu inside-voip 1500

mtu outside-voip 1500

ip local pool VPN-Pool 111.111.111.65-111.111.111.80 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside-data) 1 interface

global (outside-data) 10 interface

global (inside-voip) 1 111.111.112.2-111.111.112.254 netmask 255.255.255.0

nat (inside-data) 0 access-list inside_nat0_outbound

nat (inside-data) 10 111.111.111.0 255.255.255.0

static (inside-data,outside-data) tcp interface www Webserver www netmask 255.255.255.255

static (inside-data,outside-data) tcp interface smtp SMTP smtp netmask 255.255.255.255

static (inside-data,outside-data) tcp interface imap4 Exchange imap4 netmask 255.255.255.255

static (inside-data,outside-data) tcp interface pop3 Exchange pop3 netmask 255.255.255.255

static (inside-data,inside-data) tcp interface 5900 PC-Josh 5900 netmask 255.255.255.255

static (inside-data,outside-data) tcp interface https Exchange https netmask 255.255.255.255

static (inside-data,outside-data) tcp interface 65513 BlueIris 65513 netmask 255.255.255.255

static (inside-data,inside-voip) 111.111.111.0 111.111.111.0 netmask 255.255.255.255

static (inside-voip,inside-data) 111.111.112.0 111.111.112.0 netmask 255.255.255.255

access-group acl-inside in interface inside-data

access-group acl-outside in interface outside-data

route outside-data 0.0.0.0 0.0.0.0 *.*.*.

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Users protocol ldap

aaa-server Users (inside-data) host 111.111.111.46

ldap-base-dn dc=***,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=Administrator,CN=Users,DC=***,DC=com

server-type microsoft

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 111.111.111.0 255.255.255.0 inside-data

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside-data

crypto isakmp enable outside-data

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 1

telnet timeout 5

ssh 111.111.111.0 255.255.255.0 inside-data

ssh timeout 5

console timeout 0

dhcpd dns 111.111.111.46 111.111.111.54

!

dhcpd address 111.111.111.30-111.111.111.45 inside-data

dhcpd dns 111.111.111.46 111.111.111.54 interface inside-data

dhcpd enable inside-data

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy Remote internal

group-policy Remote attributes

dns-server value 111.111.111.46 111.111.111.54

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

username chfire password X0.FSIdiATUxgDxj encrypted privilege 15

tunnel-group Remote type remote-access

tunnel-group Remote general-attributes

address-pool VPN-Pool

authentication-server-group Users

default-group-policy Remote

tunnel-group -Remote ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ee2ddd9e1e79507330a8fc94c40e0649

: end

Jouni Forss · ‎10-10-2013

Hi,

The problems come from the fact that the ASA has one global routing table, 2 ISP links and both have default route.

So essentially when the traffic comes from behind a LAN interface and is targetting some external IP address the ASA will forward the packet according to the route-lookup and will only use one of the external interfaces holding the default route.

In your sofware the NAT configurations doesnt really give the same options to choose which interface the packet is forwarded out of. Its forwarded according to the routing table. I think there are some configurations to do similiar things in the old software but I dont think they enabled you to actually forward ALL traffic from one LAN to one ISP and ALL traffic from another LAN to another ISP.

In the new software you have an option to disable the typical route-lookup done by the ASA at the start and use the NAT configuration to determine the egress interface. This is the things that enables you to use both of the default routes. In some newer software it seemed to have problems and some additional measures in the NAT configuration were required to get the ASA perform as required.

You can easily confirm how the ASA behaves and forwards the traffic when you use "packet-tracer" command in the CLI of the ASA

If you had both the ISP links and LANs active you could then confirm what happens to the traffic from each LAN when connecting towards some external IP address.

packet-tracer input inside-voip tcp 12345 8.8.8.8 80

packet-tracer input inside-data tcp 12345 8.8.8.8 80

You can see what output interface is chosen, you can see what ACL rule is applied, you can see what NAT/PAT is applied, among other things.

- Jouni

View solution in original post

Jouni Forss · ‎10-10-2013

Hi,

You should take a "packet-tracer" output from the firewall for the traffic that is not working so we see what rules/configurations the ASA applies to it.

Although it does seem that the traffic should pass as you have Static Identity NAT configured.

packet-tracer input inside-data tcp 12345

I am also kind of wondering how your 2 WAN link setup will work. You wont be able to have 2 default routes active at the same time. I imagine connections formed inbound from the ISP link that doesnt hold the active route migth work but outbound connections from your network should only use the ISP link with active default route.

Naturally if you have specific routes configured for the ISP link with no active default route then outbound connection forming through that ISP should work.

I am actually not sure which Default route will be active when you have one staticly configured and one coming through DHCP. I would imagine the one configured staticly on the ASA would win but I am not 100% sure.

If you were running newer software levels you would be able to use NAT to effectively have the DATA and VOIP use separate ISP link for all outbound traffic.

- Jouni

vince1327 · ‎10-10-2013

Hello,

Thanks for the help, I've actually got it running with some ACL and NAT, maybe half an hour after the question was approved for posting, haha. With the dual WAN setup, I was going to set up Eth0/0 and Eth0/1 as two seperate static IP's, one to provide connectivity for data-inside VLAN and one for voip-inside VLAN. I didn't realize the ASA was limited in this regard, however I've found a few posts on the forums agreeing with you and a few disagreeing with you as well. I'm really hoping this will work as our ISP will be providing a second static IP to use for SIP.

Thanks

Vince

Jouni Forss · ‎10-10-2013

Hi,

There would be no problem if you had a single ISP link and that same ISP just provided extra IP address and routed it towards your ASAs current external public IP address.

If you have 2 actual physical ISP connections at your site then you will run into the problems that I mentioned.

It seems to me that you have configured DHCP on the new external interface so I am thinking its a totally separate WAN connection / ISP link?

- Jouni

vince1327 · ‎10-10-2013

Hello,

Sorry to confuse, it's configured as DHCP and down at the moment because our ISP hasn't provided us the new static just yet, i've just left it in that configuration for the moment. As for the two static IP's, we have a fibre line and the ISP is provisioning a VLAN for us comprised of a Data and SIP segement. We have a single "modem" which I will be connecting to a switch support 802.1q tagging, and i'm planning to split those two segements into two seperate ports on the swtich, and then use those access ports to feed Eth0/0 and Eth0/1 on the ASA. Essentially it saves me from having to deal with the trunking on the ASA itself. Hopefully this makes a bit more sense and can shed some light on any problems that i might run into.

Thanks Again!

Jouni Forss · ‎10-10-2013

Hi,

So if I understood you correctly the connection from the ISP is a Trunk to your device which also has a Trunk to a switch which then has Access port for both Vlan (Data&Voice External) that are both connected to the ASA and the ISP provides a public IP address for each Vlan and those public IP addresses will be configured on the ASA?

If the above is correct then the problem remains.

The only easily implemented 2 ISP link setup (to my knowledge or that I can remember) is where the ISP links are configured to fail over (I dont mean device failover). One ISP is Active (and holds the default route out) and it is monitored and when it fails the other ISP will be used for connections for the time the main ISP link is down.

Virtualizing the ASA is sometimes an option also but your model doesnt support Multiple Context mode to my understanding.

If ALL traffic regarding to the Voice was initiated from the external network then there probably would be no problems. I assume though that you need to connect also from the internal Voice network through the external Voice interface on the ASA. And this is where it gets tricky.

If there was only certain public destination IP addresses to which the Voice section of the network needed to connect then you could simply route those destination IP addresses through the Voice external interface on the ASA. However this usually is not the case.

In the newer softares (8.3 and above) you would be able to manipulate the traffic a lot better because of the completely changed NAT configuration format. You could essentially define the Data LAN network to only use Data external ISP link and Voice LAN network to only use Voice external ISP link. Though this solution is something Cisco doesnt recommend and I would personally be hesitant to suggest also since I dont know if there are some possible problems in the long run (that you dont run into in lab environments). (we handle 2 ISP setups with routers in front of ASA firewalls)

- Jouni

vince1327 · ‎10-10-2013

Is there any solution you would suggest? We only really have an ASA 5505 and 3548XL at our disposal for this. I was under the assumption that you could just create two default routes in the routing table and assign them to each VLAN respectively. Would it make any difference if I were to handle the trunks internally in the ASA rather than split them at the swtich?

Thanks

Jouni Forss · ‎10-10-2013

Hi,

If the ASA has 2 intefaces and both have default route configured for them then only one of those default routes will be in use. So the ASA without any tricks will only use one interface for outbound traffic according to the default route.

The trick we need is to use NAT to first force the egress interface for the traffic based on its source and destination IP address. When the egress interface is chosen by the ASA then it will use that interfaces routes. And in that case even a lower value default route could be applied for the traffic even though wihtout the NAT tricks it wouldnt be used ever.

I would personally just have a single ISP link on the ASA and request the ISP to provide the needed public IP addresses for that interface. Then there would only a single default route and nothing special would be required configuration wise. Both internal networks could be NATed to a different public IP address.

If that is not the option then I dont really see any other option with the ASA55505 other than to upgrade it to new software and use the NAT to get the desired results.

Whether you Trunk the Vlans directly to the ASA or have 2 different Vlans on the ASA and Access ports for them doesnt change the fact that you will still have 2 Vlan interfaces on the ASA that both would need to forward traffic to any destination address (hold the default route)

- Jouni

vince1327 · ‎10-10-2013

Hello,

Our ISP is providing a single physical link, with trunking to allow for the 2 VLANS (voice and data) to exist. Each one will have its own static IP. When you mentioned that you would want a single ISP link and then request the ISP to provide the needed public IP's, how would this be done (forgive me if that question sounds silly)? What I don't understand is why the ASA won't just allow me to set the proper NAT for each interface, a default route for each interface, and then go?

Jouni Forss · ‎10-10-2013

Hi,

The problems come from the fact that the ASA has one global routing table, 2 ISP links and both have default route.

So essentially when the traffic comes from behind a LAN interface and is targetting some external IP address the ASA will forward the packet according to the route-lookup and will only use one of the external interfaces holding the default route.

In your sofware the NAT configurations doesnt really give the same options to choose which interface the packet is forwarded out of. Its forwarded according to the routing table. I think there are some configurations to do similiar things in the old software but I dont think they enabled you to actually forward ALL traffic from one LAN to one ISP and ALL traffic from another LAN to another ISP.

In the new software you have an option to disable the typical route-lookup done by the ASA at the start and use the NAT configuration to determine the egress interface. This is the things that enables you to use both of the default routes. In some newer software it seemed to have problems and some additional measures in the NAT configuration were required to get the ASA perform as required.

You can easily confirm how the ASA behaves and forwards the traffic when you use "packet-tracer" command in the CLI of the ASA

If you had both the ISP links and LANs active you could then confirm what happens to the traffic from each LAN when connecting towards some external IP address.

packet-tracer input inside-voip tcp 12345 8.8.8.8 80

packet-tracer input inside-data tcp 12345 8.8.8.8 80

You can see what output interface is chosen, you can see what ACL rule is applied, you can see what NAT/PAT is applied, among other things.

- Jouni

vince1327 · ‎10-10-2013

Hi,

I'll check with our Cisco rep to see if we're eligible for an IOS update as the unit is almost brand-new, it sounds like it'll make life a lot easier. Thanks for the explanation, it makes a lot of sense now, it's unfortunate that there's this limitation but I'll see what we can do. In the meantime, I'll see if our ISP can provision that second VLAN a bit quicker so that I can do some tests with the second static ip and packet-tracer.

Thanks for all of your help, i'll post any results!!!

vince1327 · ‎10-10-2013

Hello Jouni,

This post mentions the limitation of a single default route as well, however it also mentions that I can have a second external network configured and active, as long as I setup a static route. Is this possible?

https://supportforums.cisco.com/thread/2174976

Thanks!

Jouni Forss · ‎10-10-2013

Hi,

If you only need to reach certain networks through the external VOIP/Voice interface of the ASA and know those network ranges then you can naturally configure static routes for them in the VOIP/Voice external interface and connections will use that ISP link because they are more specific routes than the default route.

Also mentioned this in the first reply

Naturally if you have specific routes configured for the ISP link with  no active default route then outbound connection forming through that  ISP should work.

Though I should add to that the outbound connections will work for those destination networks which you have routed towards the VOIP/Voice external interface on the ASA. The specific routes will naturally also mean that traffic from the Data LAN to those destination networks would also try to use the VOIP/Voice external interface on the ASA rather than their own DATA external interface. Again because of the more specific route to the destination network.

- Jouni

vince1327 · ‎10-10-2013

Ok great, i'll do some testing and be sure to post back the results. Thanks a million for all of your help and clarifications, I really appreciate it!