Solved

Can't Access other Vlans

Posted on 2007-11-13
9
342 Views
Last Modified: 2010-04-09
Hi Guys,

I recently configured my ASA 5505 with 3 vlans(outside,Production and test).Since I have the standard edition my test vlan is restricted to access my production vlan(thats what I want) but it could access the outside vlan. The problem I'm having is that my production vlan is suppose to have access to the test vlan but at the moment I cant access anything  in my test vlan. I cant even ping the test vlans gateway. I could access the outside vlan with out any problems. Here is my configuration. Did I miss anything in the config that has to be done to give my production vlan access to the test vlan?

Thanks


: Saved

: Written by enable_15 at 00:16:53.289 UTC Tue Nov 13 2007

!

ASA Version 7.2(2)

!

hostname ASA

domain-name customer

enable password d0OYifZUxbI4.4lU encrypted

names

!

interface Vlan11

 nameif Outside

 security-level 0

 ip address dhcp setroute

!

interface Vlan22

 nameif Production

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Vlan44

 no forward interface Vlan22

 nameif TestLab

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 11

!

interface Ethernet0/1

 switchport access vlan 22

!

interface Ethernet0/2

 switchport access vlan 22

!

interface Ethernet0/3

 switchport access vlan 22

!

interface Ethernet0/4

 switchport access vlan 22

!

interface Ethernet0/5

 switchport access vlan 22

!

interface Ethernet0/6

 switchport access vlan 44

!

interface Ethernet0/7

 switchport access vlan 44

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name customer

access-list outside_access_in extended permit tcp any interface Outside eq 60786

access-list outside_access_in extended permit udp any interface Outside eq 60786

access-list outside_access_in extended permit tcp any interface Outside eq 65051

access-list outside_access_in extended permit udp any interface Outside eq 65051

pager lines 24

mtu Outside 1500

mtu Production 1500

mtu TestLab 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Production) 1 0.0.0.0 0.0.0.0

nat (TestLab) 1 0.0.0.0 0.0.0.0

static (Production,Outside) tcp interface 60786 192.168.0.21 60786 netmask 255.255.255.255

static (Production,Outside) udp interface 60786 192.168.0.21 60786 netmask 255.255.255.255

static (Production,Outside) tcp interface 65051 192.168.0.21 65051 netmask 255.255.255.255

static (Production,Outside) udp interface 65051 192.168.0.21 65051 netmask 255.255.255.255

access-group outside_access_in in interface Outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

 

!

!

prompt hostname context

Cryptochecksum:3714724a89eb601daaa33af6162f72d3

: end

 

 
0
Comment
Question by:kccllc
  • 6
  • 3
9 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 125 total points
ID: 20277262
Add the following two statements:

same-security-traffic permit inter-interface
global (TestLab) 1 interface
0
 

Author Comment

by:kccllc
ID: 20277301
Hey batry boy,

Thanks for the quick reply. I'll give it a shot once I get home.
0
 

Author Comment

by:kccllc
ID: 20277675
INo luck after entering those statements.

I undertand what the "same-security-traffic permit inter-interface" does but what does the other command do?

Thanks
0
 

Author Comment

by:kccllc
ID: 20277701
sorry for not giving any info on my previous post. I still cant access any clients on the test vlan. from the production vlan. Both test and prodcution vlans have access to the internet. From the productin vlan I can't ping anything on the test vlan including the gateway.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 28

Expert Comment

by:batry_boy
ID: 20279356
You won't be able to ping from production to test because of your "restricted dmz" license on the firewall.  The way ICMP works is that when you send an echo request (ping) to a host, it creates a connection from the host your pinging from to the host you are pinging.  When that host receives it, it goes to send an echo reply back to that host, but when it does that it starts a NEW connection back to it.  To the firewall, that host is initiating a connection back to the inside host that pinged it.  ICMP is not stateful traffic and this is an example of that.

Try your any other type of IP traffic (http, etc.) and see if that works.  You'll only be able to ping from production to test and get your echo replies back if you change the "no forward interface Vlan22" to "no forward interface Vlan11" so that your blocking initiation of traffic from test to the outside...then your pings will work.

0
 

Author Comment

by:kccllc
ID: 20282756
Cool. I see. So if thats the case I will not be able to RDC to a workstation on the test vlan from a workstation on the production vlan?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20284084
No, actually you should be able to do that since that is TCP traffic, not ICMP.  Have you tried that yet?
0
 

Author Comment

by:kccllc
ID: 20284970
Not yet. I'll give that a shot once I get home later on today.
0
 

Author Comment

by:kccllc
ID: 20290456
Hey I got it working. I had to tell the ASA not to NAT for the LAN (Adding the nat (inside) 0 statement). Once that was added I was able to RDC to my test vlan. Your statements also helped since I needed those as well.

Thanks batry boy.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now