?
Solved

Can't Access other Vlans

Posted on 2007-11-13
9
Medium Priority
?
355 Views
Last Modified: 2010-04-09
Hi Guys,

I recently configured my ASA 5505 with 3 vlans(outside,Production and test).Since I have the standard edition my test vlan is restricted to access my production vlan(thats what I want) but it could access the outside vlan. The problem I'm having is that my production vlan is suppose to have access to the test vlan but at the moment I cant access anything  in my test vlan. I cant even ping the test vlans gateway. I could access the outside vlan with out any problems. Here is my configuration. Did I miss anything in the config that has to be done to give my production vlan access to the test vlan?

Thanks


: Saved

: Written by enable_15 at 00:16:53.289 UTC Tue Nov 13 2007

!

ASA Version 7.2(2)

!

hostname ASA

domain-name customer

enable password d0OYifZUxbI4.4lU encrypted

names

!

interface Vlan11

 nameif Outside

 security-level 0

 ip address dhcp setroute

!

interface Vlan22

 nameif Production

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Vlan44

 no forward interface Vlan22

 nameif TestLab

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 11

!

interface Ethernet0/1

 switchport access vlan 22

!

interface Ethernet0/2

 switchport access vlan 22

!

interface Ethernet0/3

 switchport access vlan 22

!

interface Ethernet0/4

 switchport access vlan 22

!

interface Ethernet0/5

 switchport access vlan 22

!

interface Ethernet0/6

 switchport access vlan 44

!

interface Ethernet0/7

 switchport access vlan 44

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name customer

access-list outside_access_in extended permit tcp any interface Outside eq 60786

access-list outside_access_in extended permit udp any interface Outside eq 60786

access-list outside_access_in extended permit tcp any interface Outside eq 65051

access-list outside_access_in extended permit udp any interface Outside eq 65051

pager lines 24

mtu Outside 1500

mtu Production 1500

mtu TestLab 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Production) 1 0.0.0.0 0.0.0.0

nat (TestLab) 1 0.0.0.0 0.0.0.0

static (Production,Outside) tcp interface 60786 192.168.0.21 60786 netmask 255.255.255.255

static (Production,Outside) udp interface 60786 192.168.0.21 60786 netmask 255.255.255.255

static (Production,Outside) tcp interface 65051 192.168.0.21 65051 netmask 255.255.255.255

static (Production,Outside) udp interface 65051 192.168.0.21 65051 netmask 255.255.255.255

access-group outside_access_in in interface Outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

 

!

!

prompt hostname context

Cryptochecksum:3714724a89eb601daaa33af6162f72d3

: end

 

 
0
Comment
Question by:kccllc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20277262
Add the following two statements:

same-security-traffic permit inter-interface
global (TestLab) 1 interface
0
 

Author Comment

by:kccllc
ID: 20277301
Hey batry boy,

Thanks for the quick reply. I'll give it a shot once I get home.
0
 

Author Comment

by:kccllc
ID: 20277675
INo luck after entering those statements.

I undertand what the "same-security-traffic permit inter-interface" does but what does the other command do?

Thanks
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:kccllc
ID: 20277701
sorry for not giving any info on my previous post. I still cant access any clients on the test vlan. from the production vlan. Both test and prodcution vlans have access to the internet. From the productin vlan I can't ping anything on the test vlan including the gateway.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20279356
You won't be able to ping from production to test because of your "restricted dmz" license on the firewall.  The way ICMP works is that when you send an echo request (ping) to a host, it creates a connection from the host your pinging from to the host you are pinging.  When that host receives it, it goes to send an echo reply back to that host, but when it does that it starts a NEW connection back to it.  To the firewall, that host is initiating a connection back to the inside host that pinged it.  ICMP is not stateful traffic and this is an example of that.

Try your any other type of IP traffic (http, etc.) and see if that works.  You'll only be able to ping from production to test and get your echo replies back if you change the "no forward interface Vlan22" to "no forward interface Vlan11" so that your blocking initiation of traffic from test to the outside...then your pings will work.

0
 

Author Comment

by:kccllc
ID: 20282756
Cool. I see. So if thats the case I will not be able to RDC to a workstation on the test vlan from a workstation on the production vlan?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20284084
No, actually you should be able to do that since that is TCP traffic, not ICMP.  Have you tried that yet?
0
 

Author Comment

by:kccllc
ID: 20284970
Not yet. I'll give that a shot once I get home later on today.
0
 

Author Comment

by:kccllc
ID: 20290456
Hey I got it working. I had to tell the ASA not to NAT for the LAN (Adding the nat (inside) 0 statement). Once that was added I was able to RDC to my test vlan. Your statements also helped since I needed those as well.

Thanks batry boy.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question