We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Inter-VLAN routing issue on ASA 5505

wrinklefree
wrinklefree asked
on
Medium Priority
940 Views
Last Modified: 2012-05-11
Hey guys,

I just upgraded our ASA to the security plus license so I can finally start segmenting our badly oversubscribed network.  

Here's my configuration.  Basically when I plug in my laptop into ethernet0/2 I can get to the internet just fine but I cannot talk to the other VLAN's (such as 192.168.1.1) in the same security level.  I already checked the basics like enabling 'same-security-traffic permit inter-interface' however I'm 99% sure it's something to do with NAT.   I tried toggling NAT control to no avail.  

Any help is appreciated.  Config it attached.  
ASA Version 7.2(4)
!
hostname XXXX
domain-name default.domain.invalid
enable password XXX encrypted
passwd XXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XXXXX 255.255.255.240
 ospf cost 10
!
interface Vlan3
 nameif office2
 security-level 100
 ip address 192.168.3.1 255.255.255.0
 ospf cost 10
!
interface Vlan4
 nameif Office
 security-level 100
 ip address 192.168.4.1 255.255.255.0
!
interface Vlan5
 nameif guestwifi
 security-level 1
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
 nameif Voice
 security-level 3
 ip address 192.168.6.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 4
!
interface Ethernet0/4
 switchport access vlan 5
!
interface Ethernet0/5
 switchport access vlan 6
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any host XXXX eq www
access-list outside_access_in extended permit tcp any host XXXX eq https
access-list outside_access_in extended permit tcp any host XXXX eq ssh
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list local_LAN_Access remark vpn clien local lan access
access-list local_LAN_Access standard permit 192.168.1.0 255.255.255.0
access-list tcp_traffic extended permit tcp any any
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
mtu office2 1500
mtu Office 1500
mtu Voice 1500
mtu guestwifi 1500
ip local pool PoolA 192.168.2.100-192.168.2.192 mask 255.255.255.0
ip local pool poolb 192.168.1.180-192.168.1.199 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (office2) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.1.202 https netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.202 8080 netmask 255.255.255.255
static (inside,outside) tcp XXXX www 192.168.1.205 www netmask 255.255.255.255
static (inside,outside) tcp XXXX https 192.168.1.205 https netmask 255.255.255.255
static (inside,outside) tcp XXXX ssh 192.168.1.205 ssh netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
client-update enable
no vpn-addr-assign aaa
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
management-access inside
dhcpd dns 4.2.2.1 4.2.2.5
dhcpd lease 43200
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.190 inside
dhcpd enable inside
!
dhcpd address 192.168.3.3-192.168.3.199 office2
dhcpd enable office2
!
dhcpd address 192.168.4.3-192.168.4.199 Office
dhcpd enable Office
!
dhcpd address 192.168.6.3-192.168.6.199 Voice
dhcpd enable Voice
!
dhcpd address 192.168.5.2-192.168.5.199 guestwifi
dhcpd enable guestwifi
!

Open in new window

Comment
Watch Question

CERTIFIED EXPERT

Commented:


Your no nat rules specify to nat anything from 192.168.1.0, and 192.168.2.0, 192.168.2.0 is not assigned on this firewall. Also,  your rules state not to nat from any internal network to 192.168.1.0, and 192.168.2.0.,

What traffic inside to inside do you want to allow through?  not all use the same internal security level., for example vlan 5 and 6.

harbor235 ;}



Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.