sadburger
asked on
Route between VLANS asa 5510
I am having trouble configuring routing between vlan interfaces on my ASA5510
Interface 0 - this is my internet connection
Interface 1 - this is the main interface I am using for my inside connection, and the interface the vlans are configured on. this has an IP address of 192.168.0.1
Interface 1.2 - this is one of the VLANS, vlan #2 ip address is 192.168.1.1
Interface 1.3 - another vlan, vlan id #3 ip address 192.168.2.1
Physical interface 1 connects to a trunk port of my switch that is configured for the vlans. All three vlans have access to the internet and are natted. I would like to be able to communicate between the vlans, but cannot figure out how to set it up. Aside from the basics above the ASA config is at the default.
Interface 0 - this is my internet connection
Interface 1 - this is the main interface I am using for my inside connection, and the interface the vlans are configured on. this has an IP address of 192.168.0.1
Interface 1.2 - this is one of the VLANS, vlan #2 ip address is 192.168.1.1
Interface 1.3 - another vlan, vlan id #3 ip address 192.168.2.1
Physical interface 1 connects to a trunk port of my switch that is configured for the vlans. All three vlans have access to the internet and are natted. I would like to be able to communicate between the vlans, but cannot figure out how to set it up. Aside from the basics above the ASA config is at the default.
Remove the ip address from the physical interface and create another sub-interface called interface1.1. Also, do you have 'encapsulation dot1q <vlanid>' configured on all subinterfaces ?
Just like in switches...
VLANs should be fully setup with IP/subnetmask...
Now.. the default security settings on ASA devices is that traffic CANNOT go from a VLAN that has high security index to a low security index VLAN...
config t
int vlan#
**** Here you will see that security levels are different... usually DMZ vlans are at 50, inside at 100 and outside at 0
If you set these internal VLANs at the same number... traffic will flow...
It would also help if you capture some log from the ASA and post here... during the time you attempt communication between VLANs.
VLANs should be fully setup with IP/subnetmask...
Now.. the default security settings on ASA devices is that traffic CANNOT go from a VLAN that has high security index to a low security index VLAN...
config t
int vlan#
**** Here you will see that security levels are different... usually DMZ vlans are at 50, inside at 100 and outside at 0
If you set these internal VLANs at the same number... traffic will flow...
It would also help if you capture some log from the ASA and post here... during the time you attempt communication between VLANs.
Did you assign same security level to the vlan sub-interfaces?
Then allow same security level traffic with this command:
same-security-traffic permit inter-interface
Example:
same-security-traffic permit inter-interface
interface FastEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/1.2
vlan 2
nameif VLAN2
security-level 100
ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/1.3
vlan 3
nameif VLAN3
security-level 100
ip address 192.168.2.1 255.255.255.0
inter
Then allow same security level traffic with this command:
same-security-traffic permit inter-interface
Example:
same-security-traffic permit inter-interface
interface FastEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/1.2
vlan 2
nameif VLAN2
security-level 100
ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/1.3
vlan 3
nameif VLAN3
security-level 100
ip address 192.168.2.1 255.255.255.0
inter
ASKER
They are configured with the same security level (100) and the same-security command is present.Here is my current config :
asdm image disk0:/asdm-507.bin
asdm location Server 255.255.255.255 dept1
no asdm history enable
: Saved
:
ASA Version 7.0(7)
!
hostname deltafw01
domain-name default.domain.invalid
names
name 192.168.1.2 Server
dns-guard
!
interface Ethernet0/0
nameif internet
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface Ethernet0/1
nameif internal
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1.2
vlan 2
nameif dept1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1.3
vlan 3
nameif dept2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.0.0.1 255.0.0.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list dept2_access_in_V1 extended permit ip any any
access-list Inside_pnat_inbound extended permit ip 192.168.1.0 255.255.255.0 any
access-list Inside_pnat_inbound_V1 extended permit ip any any
access-list dept2_access_in extended permit ip any any
access-list internet_access_in extended permit tcp any interface internet eq 3389
pager lines 24
logging asdm informational
mtu internet 1500
mtu dept2 1500
mtu management 1500
mtu dept1 1500
mtu internal 1500
no failover
monitor-interface internet
no monitor-interface dept2
monitor-interface management
no monitor-interface dept1
monitor-interface internal
icmp permit any dept1
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (internet) 10 interface
nat (dept2) 10 192.168.2.0 255.255.255.0
nat (dept1) 10 192.168.1.0 255.255.255.0
nat (internal) 10 192.168.0.0 255.255.255.0
static (dept1,internet) tcp interface 3389 Server 3389 netmask 255.255.255.255
access-group internet_access_in in interface internet
route internet 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.0.0.0 management
http 192.168.1.0 255.255.255.0 dept1
http 192.168.0.0 255.255.255.0 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.100-192.168.2.199 dept2
dhcpd address 10.0.0.2-10.0.0.10 management
dhcpd dns 192.168.2.2
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain wcs.local
dhcpd auto_config internal
dhcpd enable dept2
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:bfcb0934f53cdd67ae20d0537c52a5ee
: end
You should have full connectivity between all three VLAN's.
What kind of switch do you have and is it configured correctly with vlans and a trunk port?
What kind of switch do you have and is it configured correctly with vlans and a trunk port?
ASKER
The switch is a catalyst 2960, and the vlans and trunking are configured on that. I don't have access to the config right this moment, but it is a barebones config that assigns ports 2-20 to vlan2 and 21-48 to vlan3. Port 1 is is set for trunking and configured with access to vlans 1-3.
That all seems to be working properly, as I am running two separate DHCP servers and the computers on the vlans are getting correct IP addresses. In fact, the ASA is doing the DHCP on one of the vlans.
Internet access (which is being NATed through the ASA, as seen in the config above) is also working.
The only thing that isn't working is communication between the vlans right now.
That all seems to be working properly, as I am running two separate DHCP servers and the computers on the vlans are getting correct IP addresses. In fact, the ASA is doing the DHCP on one of the vlans.
Internet access (which is being NATed through the ASA, as seen in the config above) is also working.
The only thing that isn't working is communication between the vlans right now.
Given that, it sounds like the vlan's are all working fine and trunking is working or the Internet wouldn't be working.
I know you shouldn't have to, but try rebooting the ASA and see if there is any change.
I know you shouldn't have to, but try rebooting the ASA and see if there is any change.
ASKER
No dice; reset, and still the same.
I was under the impression that I may need to add some static routing... anything along that lines you can think of? Or anything else to try?
I was under the impression that I may need to add some static routing... anything along that lines you can think of? Or anything else to try?
route inside are missing.
Add return route in ASA fro all VLAN.
ie
ip route inside with specific VLAN
Add return route in ASA fro all VLAN.
ie
ip route inside with specific VLAN
Only if you had a layer 3 switch inside would you need route statements. Your 2950 is L2 only so the ASA is the only L3 device and all VLANs should show up as connected, so no routing necessary.
ASKER
Nothing I have tried so far is working. Devangshroff can you give a specific example that I should use based on the config above? I'm willing to try anything at this point!
I would open a TAC case with Cisco, because the configuration is correct and traffic is supposed to be routed between the interfaces with no need for any nat between them.
Agreed to Irmoore.....
btw... Cisco is quite good at this... they will open up a Webex session, request to control your desktop, then make the changes right in front of you... they did that for me once and fixed my VPN issue within few mins... I'm impressed with their service!
btw... Cisco is quite good at this... they will open up a Webex session, request to control your desktop, then make the changes right in front of you... they did that for me once and fixed my VPN issue within few mins... I'm impressed with their service!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After opening a cisco TACS case, they informed me that it was in fact not possible to route back the same interface with the ASA5510