Inter-VLAN routing issue on ASA 5505

Posted on 2011-04-19
Last Modified: 2012-05-11
Hey guys,

I just upgraded our ASA to the security plus license so I can finally start segmenting our badly oversubscribed network.  

Here's my configuration.  Basically when I plug in my laptop into ethernet0/2 I can get to the internet just fine but I cannot talk to the other VLAN's (such as in the same security level.  I already checked the basics like enabling 'same-security-traffic permit inter-interface' however I'm 99% sure it's something to do with NAT.   I tried toggling NAT control to no avail.  

Any help is appreciated.  Config it attached.  
ASA Version 7.2(4)
hostname XXXX
domain-name default.domain.invalid
enable password XXX encrypted
passwd XXX encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Vlan2
 nameif outside
 security-level 0
 ip address XXXXX
 ospf cost 10
interface Vlan3
 nameif office2
 security-level 100
 ip address
 ospf cost 10
interface Vlan4
 nameif Office
 security-level 100
 ip address
interface Vlan5
 nameif guestwifi
 security-level 1
 ip address
interface Vlan6
 nameif Voice
 security-level 3
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
 switchport access vlan 3
interface Ethernet0/3
 switchport access vlan 4
interface Ethernet0/4
 switchport access vlan 5
interface Ethernet0/5
 switchport access vlan 6
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any host XXXX eq www
access-list outside_access_in extended permit tcp any host XXXX eq https
access-list outside_access_in extended permit tcp any host XXXX eq ssh
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound extended permit ip any
access-list local_LAN_Access remark vpn clien local lan access
access-list local_LAN_Access standard permit
access-list tcp_traffic extended permit tcp any any
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
mtu office2 1500
mtu Office 1500
mtu Voice 1500
mtu guestwifi 1500
ip local pool PoolA mask
ip local pool poolb mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
nat (office2) 1
static (inside,outside) tcp interface https https netmask
static (inside,outside) tcp interface 8080 8080 netmask
static (inside,outside) tcp XXXX www www netmask
static (inside,outside) tcp XXXX https https netmask
static (inside,outside) tcp XXXX ssh ssh netmask
access-group outside_access_in in interface outside
route outside XXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http inside
authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
client-update enable
no vpn-addr-assign aaa
telnet inside
telnet timeout 5
ssh inside
ssh timeout 20
console timeout 0
management-access inside
dhcpd dns
dhcpd lease 43200
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside
dhcpd address office2
dhcpd enable office2
dhcpd address Office
dhcpd enable Office
dhcpd address Voice
dhcpd enable Voice
dhcpd address guestwifi
dhcpd enable guestwifi

Open in new window

Question by:wrinklefree
    LVL 32

    Expert Comment


    Your no nat rules specify to nat anything from, and, is not assigned on this firewall. Also,  your rules state not to nat from any internal network to, and,

    What traffic inside to inside do you want to allow through?  not all use the same internal security level., for example vlan 5 and 6.

    harbor235 ;}


    Accepted Solution

    I only want the same security levels to provide inter vlan routing.  

    I figured out the problem, and it was NAT.  Even with NAT control disabled, with the ASA if you're using any kind of dynamic NAT, you'll need to setup either exemptions or static NAT rules for interVLAN communication.  Once I did that it's working fine.  
    LVL 35

    Expert Comment

    by:Ernie Beek
    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now