Can't Access other Vlans

Hi Guys,

I recently configured my ASA 5505 with 3 vlans(outside,Production and test).Since I have the standard edition my test vlan is restricted to access my production vlan(thats what I want) but it could access the outside vlan. The problem I'm having is that my production vlan is suppose to have access to the test vlan but at the moment I cant access anything  in my test vlan. I cant even ping the test vlans gateway. I could access the outside vlan with out any problems. Here is my configuration. Did I miss anything in the config that has to be done to give my production vlan access to the test vlan?

Thanks


: Saved

: Written by enable_15 at 00:16:53.289 UTC Tue Nov 13 2007

!

ASA Version 7.2(2)

!

hostname ASA

domain-name customer

enable password d0OYifZUxbI4.4lU encrypted

names

!

interface Vlan11

 nameif Outside

 security-level 0

 ip address dhcp setroute

!

interface Vlan22

 nameif Production

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Vlan44

 no forward interface Vlan22

 nameif TestLab

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 11

!

interface Ethernet0/1

 switchport access vlan 22

!

interface Ethernet0/2

 switchport access vlan 22

!

interface Ethernet0/3

 switchport access vlan 22

!

interface Ethernet0/4

 switchport access vlan 22

!

interface Ethernet0/5

 switchport access vlan 22

!

interface Ethernet0/6

 switchport access vlan 44

!

interface Ethernet0/7

 switchport access vlan 44

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name customer

access-list outside_access_in extended permit tcp any interface Outside eq 60786

access-list outside_access_in extended permit udp any interface Outside eq 60786

access-list outside_access_in extended permit tcp any interface Outside eq 65051

access-list outside_access_in extended permit udp any interface Outside eq 65051

pager lines 24

mtu Outside 1500

mtu Production 1500

mtu TestLab 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Production) 1 0.0.0.0 0.0.0.0

nat (TestLab) 1 0.0.0.0 0.0.0.0

static (Production,Outside) tcp interface 60786 192.168.0.21 60786 netmask 255.255.255.255

static (Production,Outside) udp interface 60786 192.168.0.21 60786 netmask 255.255.255.255

static (Production,Outside) tcp interface 65051 192.168.0.21 65051 netmask 255.255.255.255

static (Production,Outside) udp interface 65051 192.168.0.21 65051 netmask 255.255.255.255

access-group outside_access_in in interface Outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

 

!

!

prompt hostname context

Cryptochecksum:3714724a89eb601daaa33af6162f72d3

: end

 

 
kccllcAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
batry_boyConnect With a Mentor Commented:
Add the following two statements:

same-security-traffic permit inter-interface
global (TestLab) 1 interface
0
 
kccllcAuthor Commented:
Hey batry boy,

Thanks for the quick reply. I'll give it a shot once I get home.
0
 
kccllcAuthor Commented:
INo luck after entering those statements.

I undertand what the "same-security-traffic permit inter-interface" does but what does the other command do?

Thanks
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
kccllcAuthor Commented:
sorry for not giving any info on my previous post. I still cant access any clients on the test vlan. from the production vlan. Both test and prodcution vlans have access to the internet. From the productin vlan I can't ping anything on the test vlan including the gateway.
0
 
batry_boyCommented:
You won't be able to ping from production to test because of your "restricted dmz" license on the firewall.  The way ICMP works is that when you send an echo request (ping) to a host, it creates a connection from the host your pinging from to the host you are pinging.  When that host receives it, it goes to send an echo reply back to that host, but when it does that it starts a NEW connection back to it.  To the firewall, that host is initiating a connection back to the inside host that pinged it.  ICMP is not stateful traffic and this is an example of that.

Try your any other type of IP traffic (http, etc.) and see if that works.  You'll only be able to ping from production to test and get your echo replies back if you change the "no forward interface Vlan22" to "no forward interface Vlan11" so that your blocking initiation of traffic from test to the outside...then your pings will work.

0
 
kccllcAuthor Commented:
Cool. I see. So if thats the case I will not be able to RDC to a workstation on the test vlan from a workstation on the production vlan?
0
 
batry_boyCommented:
No, actually you should be able to do that since that is TCP traffic, not ICMP.  Have you tried that yet?
0
 
kccllcAuthor Commented:
Not yet. I'll give that a shot once I get home later on today.
0
 
kccllcAuthor Commented:
Hey I got it working. I had to tell the ASA not to NAT for the LAN (Adding the nat (inside) 0 statement). Once that was added I was able to RDC to my test vlan. Your statements also helped since I needed those as well.

Thanks batry boy.
0
All Courses

From novice to tech pro — start learning today.