asked on

Route between VLANS asa 5510

I am having trouble configuring routing between vlan interfaces on my ASA5510

Interface 0 - this is my internet connection

Interface 1 - this is the main interface I am using for my inside connection, and the interface the vlans are configured on. this has an IP address of 192.168.0.1
Interface 1.2 - this is one of the VLANS, vlan #2 ip address is 192.168.1.1
Interface 1.3 - another vlan, vlan id #3 ip address 192.168.2.1

Physical interface 1 connects to a trunk port of my switch that is configured for the vlans. All three vlans have access to the internet and are natted. I would like to be able to communicate between the vlans, but cannot figure out how to set it up. Aside from the basics above the ASA config is at the default.

vjlp

Remove the ip address from the physical interface and create another sub-interface called interface1.1. Also, do you have 'encapsulation dot1q <vlanid>' configured on all subinterfaces ?

Kevin Pham

Just like in switches...

VLANs should be fully setup with IP/subnetmask...

Now.. the default security settings on ASA devices is that traffic CANNOT go from a VLAN that has high security index to a low security index VLAN...

config t
int vlan#
**** Here you will see that security levels are different... usually DMZ vlans are at 50, inside at 100 and outside at 0

If you set these internal VLANs at the same number... traffic will flow...

It would also help if you capture some log from the ASA and post here... during the time you attempt communication between VLANs.

Les Moore

Did you assign same security level to the vlan sub-interfaces?
Then allow same security level traffic with this command:
same-security-traffic permit inter-interface

Example:

same-security-traffic permit inter-interface
interface FastEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/1.2
vlan 2
nameif VLAN2
security-level 100
ip address 192.168.1.1 255.255.255.0

interface FastEthernet0/1.3
vlan 3
nameif VLAN3
security-level 100
ip address 192.168.2.1 255.255.255.0

inter

sadburger

ASKER

They are configured with the same security level (100) and the same-security command is present.Here is my current config :

asdm image disk0:/asdm-507.bin
asdm location Server 255.255.255.255 dept1
no asdm history enable
: Saved
:
ASA Version 7.0(7) 
!
hostname deltafw01
domain-name default.domain.invalid
 
names
name 192.168.1.2 Server
dns-guard
!
interface Ethernet0/0
 nameif internet
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.0 
!
interface Ethernet0/1
 nameif internal
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
interface Ethernet0/1.2
 vlan 2
 nameif dept1
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/1.3
 vlan 3
 nameif dept2
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.0.0.1 255.0.0.0 
 management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list dept2_access_in_V1 extended permit ip any any 
access-list Inside_pnat_inbound extended permit ip 192.168.1.0 255.255.255.0 any 
access-list Inside_pnat_inbound_V1 extended permit ip any any 
access-list dept2_access_in extended permit ip any any 
access-list internet_access_in extended permit tcp any interface internet eq 3389 
pager lines 24
logging asdm informational
mtu internet 1500
mtu dept2 1500
mtu management 1500
mtu dept1 1500
mtu internal 1500
no failover
monitor-interface internet
no monitor-interface dept2
monitor-interface management
no monitor-interface dept1
monitor-interface internal
icmp permit any dept1
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (internet) 10 interface
nat (dept2) 10 192.168.2.0 255.255.255.0
nat (dept1) 10 192.168.1.0 255.255.255.0
nat (internal) 10 192.168.0.0 255.255.255.0
static (dept1,internet) tcp interface 3389 Server 3389 netmask 255.255.255.255 
access-group internet_access_in in interface internet
route internet 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.0.0.0 management
http 192.168.1.0 255.255.255.0 dept1
http 192.168.0.0 255.255.255.0 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.100-192.168.2.199 dept2
dhcpd address 10.0.0.2-10.0.0.10 management
dhcpd dns 192.168.2.2 
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain wcs.local
dhcpd auto_config internal
dhcpd enable dept2
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
Cryptochecksum:bfcb0934f53cdd67ae20d0537c52a5ee
: end

Open in new window

Les Moore

You should have full connectivity between all three VLAN's.
What kind of switch do you have and is it configured correctly with vlans and a trunk port?

sadburger

ASKER

The switch is a catalyst 2960, and the vlans and trunking are configured on that. I don't have access to the config right this moment, but it is a barebones config that assigns ports 2-20 to vlan2 and 21-48 to vlan3. Port 1 is is set for trunking and configured with access to vlans 1-3.

That all seems to be working properly, as I am running two separate DHCP servers and the computers on the vlans are getting correct IP addresses. In fact, the ASA is doing the DHCP on one of the vlans.

Internet access (which is being NATed through the ASA, as seen in the config above) is also working.

The only thing that isn't working is communication between the vlans right now.

Les Moore

Given that, it sounds like the vlan's are all working fine and trunking is working or the Internet wouldn't be working.
I know you shouldn't have to, but try rebooting the ASA and see if there is any change.

sadburger

ASKER

No dice; reset, and still the same.

I was under the impression that I may need to add some static routing... anything along that lines you can think of? Or anything else to try?

devangshroff

route inside are missing.

Add return route in ASA fro all VLAN.
ie

ip route inside with specific VLAN

Les Moore

Only if you had a layer 3 switch inside would you need route statements. Your 2950 is L2 only so the ASA is the only L3 device and all VLANs should show up as connected, so no routing necessary.

sadburger

ASKER

Nothing I have tried so far is working. Devangshroff can you give a specific example that I should use based on the config above? I'm willing to try anything at this point!

Les Moore

I would open a TAC case with Cisco, because the configuration is correct and traffic is supposed to be routed between the interfaces with no need for any nat between them.

Kevin Pham

Agreed to Irmoore.....

btw... Cisco is quite good at this... they will open up a Webex session, request to control your desktop, then make the changes right in front of you... they did that for me once and fixed my VPN issue within few mins... I'm impressed with their service!

ASKER CERTIFIED SOLUTION

sharedit

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

sadburger

ASKER

After opening a cisco TACS case, they informed me that it was in fact not possible to route back the same interface with the ASA5510