not able to inter-vlan routing from ASA

shibindong · ‎02-11-2007

hi :

I configured sub inteface on the ASA for inter-vlan routing, I can ping from my PC 172.16.2.122 to other IP within the same subnet. but i cannot ping other subnet, say: 172.16.2.51.

here is my configuration:

SNGFWL001/Ctx1# SH RUN

: Saved

:

ASA Version 7.2(1) <context>

!

hostname Ctx1

domain-name default.domain.invalid

enable password xxx

names

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.2

description link to SNGSW3002 G0/22

nameif inside20

security-level 100

ip address 172.16.2.254 255.255.255.0 standby 172.16.2.253

!

interface GigabitEthernet0/1.3

description link to SNGSW3002 G0/22

nameif inside30

security-level 100

ip address 172.16.3.254 255.255.255.0 standby 172.16.3.253

!

interface GigabitEthernet0/1.5

description link to SNGSW3002 G0/22

nameif inside50

security-level 100

ip address 172.16.5.254 255.255.255.0 standby 172.16.5.253

!

interface GigabitEthernet0/1.6

description link to SNGSW3002 G0/22

nameif inside60

security-level 100

ip address 172.16.6.254 255.255.255.0 standby 172.16.6.253

!

interface GigabitEthernet0/2

description link to SNGSW2002 G0/4

nameif outside

security-level 50

ip address 172.16.25.4 255.255.255.0 standby 172.16.25.2

!

interface GigabitEthernet0/3

description link to SNGSW2002 G0/2

nameif DMZ

security-level 0

ip address 172.16.24.4 255.255.255.0 standby 172.16.24.5

!

passwd xxx

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list from-inside20 extended permit ip any any

access-list from-inside20 extended permit icmp any any

pager lines 24

logging enable

logging buffered debugging

mtu inside20 1500

mtu inside30 1500

mtu inside50 1500

mtu inside60 1500

mtu outside 1500

mtu DMZ 1500

monitor-interface inside20

no asdm history enable

arp timeout 14400

nat (DMZ) 0 0.0.0.0 0.0.0.0

access-group from-inside20 in interface inside20

access-group from-inside20 in interface inside30

access-group from-inside20 in interface inside50

access-group from-inside20 in interface inside60

access-group 101 in interface outside

access-group DMZ_access_in in interface DMZ

route outside 172.17.0.0 255.255.0.0 172.16.25.10 1

route DMZ 0.0.0.0 0.0.0.0 172.16.24.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username cisco password xxx encrypted

http server enable

http 172.16.2.0 255.255.255.0 inside20

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 DMZ

ssh timeout 5

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

acomiskey · ‎02-12-2007

Maybe just a typo on your part, but arent 172.16.2.122/24 and 172.16.2.51/24 the same subnet? I assume you meant 172.16.2.x to 172.16.3.x..anyway try

"same-security-traffic permit inter-interface" to allow communicaiton between same security level interfaces.