Solved

Can't Access other Vlans

Posted on 2007-11-13
9
343 Views
Last Modified: 2010-04-09
Hi Guys,

I recently configured my ASA 5505 with 3 vlans(outside,Production and test).Since I have the standard edition my test vlan is restricted to access my production vlan(thats what I want) but it could access the outside vlan. The problem I'm having is that my production vlan is suppose to have access to the test vlan but at the moment I cant access anything  in my test vlan. I cant even ping the test vlans gateway. I could access the outside vlan with out any problems. Here is my configuration. Did I miss anything in the config that has to be done to give my production vlan access to the test vlan?

Thanks


: Saved

: Written by enable_15 at 00:16:53.289 UTC Tue Nov 13 2007

!

ASA Version 7.2(2)

!

hostname ASA

domain-name customer

enable password d0OYifZUxbI4.4lU encrypted

names

!

interface Vlan11

 nameif Outside

 security-level 0

 ip address dhcp setroute

!

interface Vlan22

 nameif Production

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Vlan44

 no forward interface Vlan22

 nameif TestLab

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 11

!

interface Ethernet0/1

 switchport access vlan 22

!

interface Ethernet0/2

 switchport access vlan 22

!

interface Ethernet0/3

 switchport access vlan 22

!

interface Ethernet0/4

 switchport access vlan 22

!

interface Ethernet0/5

 switchport access vlan 22

!

interface Ethernet0/6

 switchport access vlan 44

!

interface Ethernet0/7

 switchport access vlan 44

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name customer

access-list outside_access_in extended permit tcp any interface Outside eq 60786

access-list outside_access_in extended permit udp any interface Outside eq 60786

access-list outside_access_in extended permit tcp any interface Outside eq 65051

access-list outside_access_in extended permit udp any interface Outside eq 65051

pager lines 24

mtu Outside 1500

mtu Production 1500

mtu TestLab 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Production) 1 0.0.0.0 0.0.0.0

nat (TestLab) 1 0.0.0.0 0.0.0.0

static (Production,Outside) tcp interface 60786 192.168.0.21 60786 netmask 255.255.255.255

static (Production,Outside) udp interface 60786 192.168.0.21 60786 netmask 255.255.255.255

static (Production,Outside) tcp interface 65051 192.168.0.21 65051 netmask 255.255.255.255

static (Production,Outside) udp interface 65051 192.168.0.21 65051 netmask 255.255.255.255

access-group outside_access_in in interface Outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

 

!

!

prompt hostname context

Cryptochecksum:3714724a89eb601daaa33af6162f72d3

: end

 

 
0
Comment
Question by:kccllc
  • 6
  • 3
9 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 125 total points
ID: 20277262
Add the following two statements:

same-security-traffic permit inter-interface
global (TestLab) 1 interface
0
 

Author Comment

by:kccllc
ID: 20277301
Hey batry boy,

Thanks for the quick reply. I'll give it a shot once I get home.
0
 

Author Comment

by:kccllc
ID: 20277675
INo luck after entering those statements.

I undertand what the "same-security-traffic permit inter-interface" does but what does the other command do?

Thanks
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:kccllc
ID: 20277701
sorry for not giving any info on my previous post. I still cant access any clients on the test vlan. from the production vlan. Both test and prodcution vlans have access to the internet. From the productin vlan I can't ping anything on the test vlan including the gateway.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20279356
You won't be able to ping from production to test because of your "restricted dmz" license on the firewall.  The way ICMP works is that when you send an echo request (ping) to a host, it creates a connection from the host your pinging from to the host you are pinging.  When that host receives it, it goes to send an echo reply back to that host, but when it does that it starts a NEW connection back to it.  To the firewall, that host is initiating a connection back to the inside host that pinged it.  ICMP is not stateful traffic and this is an example of that.

Try your any other type of IP traffic (http, etc.) and see if that works.  You'll only be able to ping from production to test and get your echo replies back if you change the "no forward interface Vlan22" to "no forward interface Vlan11" so that your blocking initiation of traffic from test to the outside...then your pings will work.

0
 

Author Comment

by:kccllc
ID: 20282756
Cool. I see. So if thats the case I will not be able to RDC to a workstation on the test vlan from a workstation on the production vlan?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20284084
No, actually you should be able to do that since that is TCP traffic, not ICMP.  Have you tried that yet?
0
 

Author Comment

by:kccllc
ID: 20284970
Not yet. I'll give that a shot once I get home later on today.
0
 

Author Comment

by:kccllc
ID: 20290456
Hey I got it working. I had to tell the ASA not to NAT for the LAN (Adding the nat (inside) 0 statement). Once that was added I was able to RDC to my test vlan. Your statements also helped since I needed those as well.

Thanks batry boy.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question