Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Vlan to Vlan communication

Hello all,

I have created 3 vlans on my ASA 5505,

5,10,15,and 20

They are on Interface 0/4 and trunked to a switch port which is also configured as a trunk. All works great....EXCEPT

I have a printer on VLAN 20 (192.168.20.15) that folks on VLAN 5 and 15 need to print to. I have the vlans on the same security level and configured same-security-traffic-permit.

I am missing something very elementary, I'm sure. Can someone please provide the key to this puzzle?

Thanks!

John

40 REPLIES
New Member

Re: Vlan to Vlan communication

Hi,

Try adding routes to all other interfaces similar to route inside. Check the gateway of the printer if still not responding

Thanks

AP

Re: Vlan to Vlan communication

Your issue appears to be NAT

Either created a nat0 for the vlan's or configure a static network nat.

HTH>

New Member

Re: Vlan to Vlan communication

Thanks! created the following and now my users cannot get to the Internet

nat (Chappell) 0 access-list Chappell_access_in

nat (Burton) 0 access-list Burton_access_in

I already have the static access-list setup as follows for allowing access to the printer

static (User-Vlan,Burton) 192.168.20.15 192.168.20.15 netmask 255.255.255.255

static (User-Vlan,Chappell) 192.168.20.15 192.168.20.15 netmask 255.255.255.255

My route is

route inside 192.168.0.0 255.255.0.0 192.168.1.1 1

I'm stuck!

John

Re: Vlan to Vlan communication

That is because you are using the wrong acl - at the end of the acls you are saying ip any any = do not nat anything - when you use these acl's with the no-nat config.

Remove:-

nat (Chappell) 0 access-list Chappell_access_in

nat (Burton) 0 access-list Burton_access_in

Config the below:-

access-list no-vlan-nat permit ip 192.168.5.0 255.255.255.0 host 192.168.20.15

access-list no-vlan-nat permit ip 192.168.15.0 255.255.255.0 host 192.168.20.15

nat (Chappell) 0 access-list no-vlan-nat

nat (Burton) 0 access-list no-vlan-nat

HTH>

New Member

Re: Vlan to Vlan communication

Thanks! Would that be the same for a VPN use? VPN is 192.168.30.0

access-list no-vlan-nat permit ip 192.168.30.0 255.255.255.0 host 192.168.20.15

Thanks you! I'll try this now.

Re: Vlan to Vlan communication

No - for VPN use you have to do a couple of things.....but why would you want remote VPN clients to print to a printer they are remote from?

New Member

Re: Vlan to Vlan communication

I asked the same thing. Apparently the broker has an office at home and wants to print contracts on this printer for his staff when he is out of the office. I could use access to the vlan for RDP though.

Re: Vlan to Vlan communication

Then all you need to do is add the remote VPN IP subnet to the interface no-nat access-list and it will be ok.

New Member

Re: Vlan to Vlan communication

Thank you! I'll give it a shot. NAT always messes me up. Need to study it more.

New Member

Re: Vlan to Vlan communication

So it would look like this, right?

access-list no-vlan-nat extended permit ip 192.168.30.0 255.255.255.0 host 192.168.20.0

VPN IP is 192.168.30.x

Thanks again for all your assisstance.

Re: Vlan to Vlan communication

Yes - and you need to make sure the 192.168.20.0 subnet is in the encryption domain list for the remote vpn user.

New Member

Re: Vlan to Vlan communication

That did not work. I cannot access the 20 network. Do I need a NAT 0 for VPN as well? That does not sound right. I should be able to access all the vlan's when I VPN in.

Re: Vlan to Vlan communication

OK - lets debug the config, attach the config with all sensitive info removed.

New Member

Re: Vlan to Vlan communication

ok, Thanks! Here it is. The config works perfectly for the exception of the VPN. I can VPN in, I can surf the web, so split tunnel is configured correctly, but I cannot access any of the VLANs.

Re: Vlan to Vlan communication

OK - the acl KWRE_Split_Tunnel specifies the allowed network subnets sent to the vpn client for encryption.

Add the specific subnet/IP host to this and re-test.

New Member

Re: Vlan to Vlan communication

ARGH!!! I see that!! Darn it! Ok. Here is what I have:

access-list KWRE_Split_Tunnel standard permit 192.168.1.0 255.255.255.0

It should read:

access-list KWRE_Split_Tunnel standard permit 192.168.0.0 255.255.255.0

This should work!

New Member

Re: Vlan to Vlan communication

I added the following:

access-list KWRE_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0

access-list KWRE_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0

access-list KWRE_splitTunnelAcl standard permit 192.168.15.0 255.255.255.0

access-list KWRE_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

I can ping 192.168.1.1 but I cannot ping any other network, ie 192.168.20.15

Re: Vlan to Vlan communication

post your config again with all the changes.

New Member

Re: Vlan to Vlan communication

Ok, here it is.

Re: Vlan to Vlan communication

You need to add the remote VPN subnet to the n-nat acl's of the specific interfaces.

New Member

Re: Vlan to Vlan communication

I thought I added that.

access-list no-vlan-nat extended permit ip any KW-VPN 255.255.255.128

Is this not what you are talking about?

Thanks!

Re: Vlan to Vlan communication

is the acl getting any hits?

post the output for "show route"

New Member

Re: Vlan to Vlan communication

Here is the sho route output:

Gateway of last resort is 209.221.206.1 to network 0.0.0.0

C 192.168.15.0 255.255.255.0 is directly connected, Chappell

C 192.168.25.0 255.255.255.0 is directly connected, Sanchez

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C 192.168.20.0 255.255.255.0 is directly connected, User-Vlan

C 192.168.5.0 255.255.255.0 is directly connected, Burton

C 192.168.1.0 255.255.255.0 is directly connected, inside

C 209.221.206.0 255.255.255.0 is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 209.221.206.1, outside

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.1.1, inside

I do not see hits on the acl, at least from one I can tell.

Re: Vlan to Vlan communication

You have in your config:-

access-list no-vlan-nat extended permit ip any KW-VPN 255.255.255.128

But the VPN pool is:-

ip local pool KW-VPN 192.168.30.50-192.168.30.70 mask 255.255.255.0

I sugges you change from:-

access-list no-vlan-nat extended permit ip any KW-VPN 255.255.255.128

to:-

access-list no-vlan-nat extended permit ip any 192.168.30.0 255.255.255.0

then retest/debug and check your logs.

New Member

Re: Vlan to Vlan communication

Nice catch!

Ok so he is the acl:

access-list inside_nat0_outbound extended permit ip any KW-VPN 255.255.255.0

access-list KWRE_Split_Tunnel standard permit 192.168.1.0 255.255.255.0

access-list Chappell_access_in remark Print to Printer Copier

access-list Chappell_access_in extended permit ip any host 192.168.20.15

access-list Chappell_access_in extended permit ip any any

access-list Burton_access_in remark Print to Printer Copier

access-list Burton_access_in extended permit ip any host 192.168.20.15

access-list Burton_access_in extended permit ip any any

access-list no-vlan-nat extended permit ip 192.168.5.0 255.255.255.0 host 192.168.20.15

access-list no-vlan-nat extended permit ip 192.168.15.0 255.255.255.0 host 192.168.20.15

access-list no-vlan-nat extended permit ip 192.168.25.0 255.255.255.0 host 192.168.20.15

access-list no-vlan-nat extended permit ip any KW-VPN 255.255.255.0

access-list Sanchez_access_in remark Print to Printer Copier

access-list Sanchez_access_in extended permit ip any host 192.168.20.15

access-list Sanchez_access_in extended permit ip any any

access-list KWRE_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0

access-list KWRE_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0

access-list KWRE_splitTunnelAcl standard permit 192.168.15.0 255.255.255.0

access-list KWRE_splitTunnelAcl standard permit 192.168.25.0 255.255.255.0

access-list User-Vlan_nat0_outbound extended permit ip any KW-VPN 255.255.255.0

ip local pool KW-VPN 192.168.30.50-192.168.30.70 mask 255.255.255.0

global (inside) 1 interface

global (outside) 1 interface

global (Burton) 1 interface

global (Sanchez) 1 interface

global (Chappell) 1 interface

global (User-Vlan) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 KW-VPN 255.255.255.128

nat (outside) 1 0.0.0.0 0.0.0.0

nat (Burton) 0 access-list no-vlan-nat

nat (Burton) 1 0.0.0.0 0.0.0.0

nat (Sanchez) 0 access-list no-vlan-nat

nat (Sanchez) 1 0.0.0.0 0.0.0.0

nat (Chappell) 0 access-list no-vlan-nat

nat (Chappell) 1 0.0.0.0 0.0.0.0

nat (User-Vlan) 1 0.0.0.0 0.0.0.0

static (User-Vlan,Burton) 192.168.20.15 192.168.20.15 netmask 255.255.255.255

static (User-Vlan,Chappell) 192.168.20.15 192.168.20.15 netmask 255.255.255.255

static (User-Vlan,Sanchez) 192.168.20.15 192.168.20.15 netmask 255.255.255.255

access-group Burton_access_in in interface Burton

access-group Sanchez_access_in in interface Sanchez

access-group Chappell_access_in in interface Chappell

route outside 0.0.0.0 0.0.0.0 209.221.206.1 1

route inside 192.168.0.0 255.255.0.0 192.168.1.1 1

I can ping 192.168.1.1 but not any of the vlans (5,15,20,and 25)

New Member

Re: Vlan to Vlan communication

I just noticed this:

nat (outside) 1 KW-VPN 255.255.255.128

and I changed it to this:

nat (outside) 1 KW-VPN 255.255.255.0

No change in behaviour though.

Thanks!

Re: Vlan to Vlan communication

That just changes the hte subnet that is translated via the vpn remote subnet to the internet.

To be honest I have lost track of the changes and what problems have been solved and what still does not work.

What does work?

What does not work?

New Member

Re: Vlan to Vlan communication

Ok,

I can VPN in and surf the web

I can ping the native vlan (vlan1) 192.168.1.1 and any host on the 1 network.

I cannot ping or access any of the vlans (5,15,20,25)

192.168.5.1

192.168.15.1

192.168.20.1

192.168.25.1

VPN IP is 192.168.30.0 (KW-VPN)

THanks again for you help on this.

Re: Vlan to Vlan communication

The conig looks ok - you are just going to have to toubleshoot this by looking at the logs.

255
Views
10
Helpful
40
Replies
CreatePlease to create content