cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8838
Views
0
Helpful
13
Replies

ASA 5505 Inter-Vlan routing issue

Joe Conklin
Level 1
Level 1

I'm having an issue routing between vlans. I have vlan 1, and 2. I want to ping something on vlan 2, from vlan 1. I cannot ping from a computer on vlan 1 to a computer on vlan 2. I can ping each computer from the ASA 5505. I get an error on the ASA when I try to ping from the computers. The error is Failed to locate egress interface for UDP from voice:192.168.0.199/137 to 192.168.1.200/137. I can't understand why it even mentions IP 192.168.1.200/137... I reset the unit configuring it from scratch and still no go. I have no given a static route to the out yet.. I need to get inter-vlan routing working first.

Here is my ping from the router pinging computers on both sides...

asa5505(config)# ping 192.168.0.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.199, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
asa5505(config)# ping 192.168.10.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.199, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
asa5505(config)# ping 192.168.0.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.199, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
asa5505(config)# ping 192.168.10.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.199, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Below is my config

Result of the command: "show run"

: Saved
:
ASA Version 8.2(2)
!
hostname asa5505
domain-name domain.local
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.105 255.255.255.0
!
interface Vlan2
nameif voice
security-level 100
ip address 192.168.0.90 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address 74.95.178.221 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
icmp permit any voice
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (voice) 1 interface
nat (inside) 101 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:46c213dece9444eb2ac7fdec0c2348a0
: end

13 Replies 13

bikespace
Level 1
Level 1

You are trying to pass traffic between same security interfaces (both sec level 100).

Try the global command:

same-security-traffic permit inter-interface

Your error is a red herring I believe, just some Netbios 'noise'

hth

Bikespace

integreon
Level 1
Level 1

Can you do a source ping and share the result?

Anton

Sent from Cisco Technical Support iPad App

@ integreon show ip route isn't a valid cmd in asa/pix os.

No Joe,

I'm talking about source ping. See below (try to ping the Vlan2 system IP from Vlan1 interface.

Firewall# ping

Interface: Vlan1

Target IP address: 109.168.0.199

Integreon, I'm not doing a source ping correct.. When I try, below is what I get.. I experimented but I'm not sure what to say for repeat, byte size, pattern, etc.

asa5505(config)# ping

Interface: vlan1

% Bad interface name

Not enough arguments.

Usage: ping [if_name] [data ] [repeat ] [size ]

                [timeout ] [validate]

asa5505(config)# ping

Interface: vlan1

% Bad interface name

Not enough arguments.

Usage: ping [if_name] [data ] [repeat ] [size ]

                [timeout ] [validate]

Joe Conklin
Level 1
Level 1

bikespace, I did what you asked, still no dice.. Below is my current config... I exempt the networks from NAT altogether, and just in case you are wondering yes it is a security plus model.

: Saved

:

ASA Version 8.2(2)

!

hostname asa5505

domain-name domain.local

enable password encrypted

passwd encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.105 255.255.255.0

!

interface Vlan2

nameif voice

security-level 100

ip address 192.168.0.90 255.255.255.0

!

interface Vlan3

nameif outside

security-level 0

ip address IP REMOVED 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 3

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa822-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name domain.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu voice 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any echo-reply outside

icmp permit any voice

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.10.0 255.255.255.0

nat (voice) 0 access-list nonat

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-reco

rd DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:7e90697f4cd

43564ea930

e25078d9cf

6

: end

: Saved

:

ASA Version 8.2(2)

!

hostname asa5505

domain-name domain.local

enable password encrypted

passwd encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.105 255.255.255.0

!

interface Vlan2

nameif voice

security-level 100

ip address 192.168.0.90 255.255.255.0

!

interface Vlan3

nameif outside

security-level 0

ip address IP REMOVED 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 3

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa822-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name domain.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu voice 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any echo-reply outside

icmp permit any voice

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.10.0 255.255.255.0

nat (voice) 0 access-list nonat

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-reco

rd DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:7e90697f4cd

43564ea930

e25078d9cf

6

: end

I think you need to create subinterfaces to provide interVlan communications, or configure ip addresses on the interfaces directly not vlan interface.

Hope this helps

Eugen

Hi,

Try to ping by adding 'inspect icmp' under class inspection_default.

If you still experience issues, enable 'debug icmp trace' on ASA and intiate ping from A-->B. Post the outputs.

hth

MS

@mvsheik123 I enabled debug but when doing ping or tracert I do not see any debug info in terminal or in the ASA traffic monitor.

@eugen barticel, you can't create subinterfaces on an ASA 5505. You create vlans and assign access to switch ports. I believe on the 5510 and higher sub-interfaces is possible/typical. On the 5505 router-on-a-stick is not possible. Eitherway if I did router-on-a-stick on the ASA I'd still be at an impass because I can't get whatever access or nat rules ironed out.

Mark Lange
Level 1
Level 1

Simply add these commands and your vlans will be able to communicate with one another:

Int vlan2

security-level 99

!

Exit

!

static (inside,voice) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

static (voice,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

!

End

The vlan change is for voice to be able to use the outside interface to get out to the Internet. The other two statics are so each network can communicate with one another.

Sent from Cisco Technical Support iPhone App

@Mark Lange, I tried that, still no dice. Below is my current config..

Result of the command: "show run"

: Saved
:
ASA Version 8.2(2)
!
hostname asa5505
domain-name churchill.local
enable password 8FqdnUfqQih2Ylyn encrypted
passwd KlmFcak5WfQtJl2w encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.105 255.255.255.0
!
interface Vlan2
nameif voice
security-level 99
ip address 192.168.0.90 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address 74.95.178.221 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name churchill.local
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu voice 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any voice
icmp permit any echo-reply outside
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
static (inside,voice) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (voice,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:10233ade57c99bd6286acbcedb7269b9
: end

Ok, I got my issue resolved with Cisco TAC support's assistance.. It was NOT an issue with my config, it was an issue with my systems and their routing tables. After tracing back the issue there I was able to resolve the communication issue inter-vlan, and the egress error about the 192.168.1.X network.

The one issue I have left is I have is I need to route some traffic in one direction, and the other traffic to another..

To explain further I have the two networks listed as above. Those networks are 192.168.10.X and 192.168.0.X. The 10 network is the data, and the 0 is the voice. I set a route of last resort and the data network can get to the Internet. As Boilermaker85 pointed out, my voice network does NOT need to get to the Internet through the ASA.

However now that inter-vlan communication is working and connected routes will take precedence over static routes.. I need to route all traffic on the voice (192.168.0.X) network to 192.168.0.1.. I want to keep the ASA as the voice network's gateway rather than adding a route to the 192.168.10.X network on 192.168.0.1, which is actually proper... Can I do that on the ASA? I was told by Cisco, not to do it that way..


Belos is my routes on the ASA

Gateway of last resort is 10.1.10.1 to network 0.0.0.0

C 192.168.10.0 255.255.255.0 is directly connected, inside
C 10.1.10.0 255.255.255.0 is directly connected, outside
C 192.168.0.0 255.255.255.0 is directly connected, voice
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.10.1, outside

Good to hear that you main problem is fixed.

For the other about voice I think that asa will introduce latency for voice packets, it can be done but is lots of fine-tunning and changing some defaults.

Maybe this info will help

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_voicevideo.html

Eugen

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: