Solved

Can't Access other Vlans

Posted on 2007-11-13
9
341 Views
Last Modified: 2010-04-09
Hi Guys,

I recently configured my ASA 5505 with 3 vlans(outside,Production and test).Since I have the standard edition my test vlan is restricted to access my production vlan(thats what I want) but it could access the outside vlan. The problem I'm having is that my production vlan is suppose to have access to the test vlan but at the moment I cant access anything  in my test vlan. I cant even ping the test vlans gateway. I could access the outside vlan with out any problems. Here is my configuration. Did I miss anything in the config that has to be done to give my production vlan access to the test vlan?

Thanks


: Saved

: Written by enable_15 at 00:16:53.289 UTC Tue Nov 13 2007

!

ASA Version 7.2(2)

!

hostname ASA

domain-name customer

enable password d0OYifZUxbI4.4lU encrypted

names

!

interface Vlan11

 nameif Outside

 security-level 0

 ip address dhcp setroute

!

interface Vlan22

 nameif Production

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Vlan44

 no forward interface Vlan22

 nameif TestLab

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 11

!

interface Ethernet0/1

 switchport access vlan 22

!

interface Ethernet0/2

 switchport access vlan 22

!

interface Ethernet0/3

 switchport access vlan 22

!

interface Ethernet0/4

 switchport access vlan 22

!

interface Ethernet0/5

 switchport access vlan 22

!

interface Ethernet0/6

 switchport access vlan 44

!

interface Ethernet0/7

 switchport access vlan 44

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name customer

access-list outside_access_in extended permit tcp any interface Outside eq 60786

access-list outside_access_in extended permit udp any interface Outside eq 60786

access-list outside_access_in extended permit tcp any interface Outside eq 65051

access-list outside_access_in extended permit udp any interface Outside eq 65051

pager lines 24

mtu Outside 1500

mtu Production 1500

mtu TestLab 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Production) 1 0.0.0.0 0.0.0.0

nat (TestLab) 1 0.0.0.0 0.0.0.0

static (Production,Outside) tcp interface 60786 192.168.0.21 60786 netmask 255.255.255.255

static (Production,Outside) udp interface 60786 192.168.0.21 60786 netmask 255.255.255.255

static (Production,Outside) tcp interface 65051 192.168.0.21 65051 netmask 255.255.255.255

static (Production,Outside) udp interface 65051 192.168.0.21 65051 netmask 255.255.255.255

access-group outside_access_in in interface Outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

 

!

!

prompt hostname context

Cryptochecksum:3714724a89eb601daaa33af6162f72d3

: end

 

 
0
Comment
Question by:kccllc
  • 6
  • 3
9 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 125 total points
ID: 20277262
Add the following two statements:

same-security-traffic permit inter-interface
global (TestLab) 1 interface
0
 

Author Comment

by:kccllc
ID: 20277301
Hey batry boy,

Thanks for the quick reply. I'll give it a shot once I get home.
0
 

Author Comment

by:kccllc
ID: 20277675
INo luck after entering those statements.

I undertand what the "same-security-traffic permit inter-interface" does but what does the other command do?

Thanks
0
 

Author Comment

by:kccllc
ID: 20277701
sorry for not giving any info on my previous post. I still cant access any clients on the test vlan. from the production vlan. Both test and prodcution vlans have access to the internet. From the productin vlan I can't ping anything on the test vlan including the gateway.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 28

Expert Comment

by:batry_boy
ID: 20279356
You won't be able to ping from production to test because of your "restricted dmz" license on the firewall.  The way ICMP works is that when you send an echo request (ping) to a host, it creates a connection from the host your pinging from to the host you are pinging.  When that host receives it, it goes to send an echo reply back to that host, but when it does that it starts a NEW connection back to it.  To the firewall, that host is initiating a connection back to the inside host that pinged it.  ICMP is not stateful traffic and this is an example of that.

Try your any other type of IP traffic (http, etc.) and see if that works.  You'll only be able to ping from production to test and get your echo replies back if you change the "no forward interface Vlan22" to "no forward interface Vlan11" so that your blocking initiation of traffic from test to the outside...then your pings will work.

0
 

Author Comment

by:kccllc
ID: 20282756
Cool. I see. So if thats the case I will not be able to RDC to a workstation on the test vlan from a workstation on the production vlan?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20284084
No, actually you should be able to do that since that is TCP traffic, not ICMP.  Have you tried that yet?
0
 

Author Comment

by:kccllc
ID: 20284970
Not yet. I'll give that a shot once I get home later on today.
0
 

Author Comment

by:kccllc
ID: 20290456
Hey I got it working. I had to tell the ASA not to NAT for the LAN (Adding the nat (inside) 0 statement). Once that was added I was able to RDC to my test vlan. Your statements also helped since I needed those as well.

Thanks batry boy.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now