We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Inter-VLAN routing issue on ASA 5505

wrinklefree asked
Medium Priority
Last Modified: 2012-05-11
Hey guys,

I just upgraded our ASA to the security plus license so I can finally start segmenting our badly oversubscribed network.  

Here's my configuration.  Basically when I plug in my laptop into ethernet0/2 I can get to the internet just fine but I cannot talk to the other VLAN's (such as in the same security level.  I already checked the basics like enabling 'same-security-traffic permit inter-interface' however I'm 99% sure it's something to do with NAT.   I tried toggling NAT control to no avail.  

Any help is appreciated.  Config it attached.  
ASA Version 7.2(4)
hostname XXXX
domain-name default.domain.invalid
enable password XXX encrypted
passwd XXX encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Vlan2
 nameif outside
 security-level 0
 ip address XXXXX
 ospf cost 10
interface Vlan3
 nameif office2
 security-level 100
 ip address
 ospf cost 10
interface Vlan4
 nameif Office
 security-level 100
 ip address
interface Vlan5
 nameif guestwifi
 security-level 1
 ip address
interface Vlan6
 nameif Voice
 security-level 3
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
 switchport access vlan 3
interface Ethernet0/3
 switchport access vlan 4
interface Ethernet0/4
 switchport access vlan 5
interface Ethernet0/5
 switchport access vlan 6
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any host XXXX eq www
access-list outside_access_in extended permit tcp any host XXXX eq https
access-list outside_access_in extended permit tcp any host XXXX eq ssh
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound extended permit ip any
access-list local_LAN_Access remark vpn clien local lan access
access-list local_LAN_Access standard permit
access-list tcp_traffic extended permit tcp any any
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
mtu office2 1500
mtu Office 1500
mtu Voice 1500
mtu guestwifi 1500
ip local pool PoolA mask
ip local pool poolb mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
nat (office2) 1
static (inside,outside) tcp interface https https netmask
static (inside,outside) tcp interface 8080 8080 netmask
static (inside,outside) tcp XXXX www www netmask
static (inside,outside) tcp XXXX https https netmask
static (inside,outside) tcp XXXX ssh ssh netmask
access-group outside_access_in in interface outside
route outside XXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http inside
authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
client-update enable
no vpn-addr-assign aaa
telnet inside
telnet timeout 5
ssh inside
ssh timeout 20
console timeout 0
management-access inside
dhcpd dns
dhcpd lease 43200
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside
dhcpd address office2
dhcpd enable office2
dhcpd address Office
dhcpd enable Office
dhcpd address Voice
dhcpd enable Voice
dhcpd address guestwifi
dhcpd enable guestwifi

Open in new window

Watch Question



Your no nat rules specify to nat anything from, and, is not assigned on this firewall. Also,  your rules state not to nat from any internal network to, and,

What traffic inside to inside do you want to allow through?  not all use the same internal security level., for example vlan 5 and 6.

harbor235 ;}

Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Ernie BeekSenior infrastructure engineer
Top Expert 2012

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.