• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 925
  • Last Modified:

Inter-VLAN routing issue on ASA 5505

Hey guys,

I just upgraded our ASA to the security plus license so I can finally start segmenting our badly oversubscribed network.  

Here's my configuration.  Basically when I plug in my laptop into ethernet0/2 I can get to the internet just fine but I cannot talk to the other VLAN's (such as 192.168.1.1) in the same security level.  I already checked the basics like enabling 'same-security-traffic permit inter-interface' however I'm 99% sure it's something to do with NAT.   I tried toggling NAT control to no avail.  

Any help is appreciated.  Config it attached.  
ASA Version 7.2(4)
!
hostname XXXX
domain-name default.domain.invalid
enable password XXX encrypted
passwd XXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XXXXX 255.255.255.240
 ospf cost 10
!
interface Vlan3
 nameif office2
 security-level 100
 ip address 192.168.3.1 255.255.255.0
 ospf cost 10
!
interface Vlan4
 nameif Office
 security-level 100
 ip address 192.168.4.1 255.255.255.0
!
interface Vlan5
 nameif guestwifi
 security-level 1
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
 nameif Voice
 security-level 3
 ip address 192.168.6.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 4
!
interface Ethernet0/4
 switchport access vlan 5
!
interface Ethernet0/5
 switchport access vlan 6
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any host XXXX eq www
access-list outside_access_in extended permit tcp any host XXXX eq https
access-list outside_access_in extended permit tcp any host XXXX eq ssh
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list local_LAN_Access remark vpn clien local lan access
access-list local_LAN_Access standard permit 192.168.1.0 255.255.255.0
access-list tcp_traffic extended permit tcp any any
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
mtu office2 1500
mtu Office 1500
mtu Voice 1500
mtu guestwifi 1500
ip local pool PoolA 192.168.2.100-192.168.2.192 mask 255.255.255.0
ip local pool poolb 192.168.1.180-192.168.1.199 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (office2) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.1.202 https netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.202 8080 netmask 255.255.255.255
static (inside,outside) tcp XXXX www 192.168.1.205 www netmask 255.255.255.255
static (inside,outside) tcp XXXX https 192.168.1.205 https netmask 255.255.255.255
static (inside,outside) tcp XXXX ssh 192.168.1.205 ssh netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
client-update enable
no vpn-addr-assign aaa
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
management-access inside
dhcpd dns 4.2.2.1 4.2.2.5
dhcpd lease 43200
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.190 inside
dhcpd enable inside
!
dhcpd address 192.168.3.3-192.168.3.199 office2
dhcpd enable office2
!
dhcpd address 192.168.4.3-192.168.4.199 Office
dhcpd enable Office
!
dhcpd address 192.168.6.3-192.168.6.199 Voice
dhcpd enable Voice
!
dhcpd address 192.168.5.2-192.168.5.199 guestwifi
dhcpd enable guestwifi
!

Open in new window

0
wrinklefree
Asked:
wrinklefree
1 Solution
 
harbor235Commented:


Your no nat rules specify to nat anything from 192.168.1.0, and 192.168.2.0, 192.168.2.0 is not assigned on this firewall. Also,  your rules state not to nat from any internal network to 192.168.1.0, and 192.168.2.0.,

What traffic inside to inside do you want to allow through?  not all use the same internal security level., for example vlan 5 and 6.

harbor235 ;}



0
 
wrinklefreeAuthor Commented:
I only want the same security levels to provide inter vlan routing.  

I figured out the problem, and it was NAT.  Even with NAT control disabled, with the ASA if you're using any kind of dynamic NAT, you'll need to setup either exemptions or static NAT rules for interVLAN communication.  Once I did that it's working fine.  
0
 
Ernie BeekExpertCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

Tackle projects and never again get stuck behind a technical roadblock.
Join Now