• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 925
  • Last Modified:

Inter-VLAN routing issue on ASA 5505

Hey guys,

I just upgraded our ASA to the security plus license so I can finally start segmenting our badly oversubscribed network.  

Here's my configuration.  Basically when I plug in my laptop into ethernet0/2 I can get to the internet just fine but I cannot talk to the other VLAN's (such as in the same security level.  I already checked the basics like enabling 'same-security-traffic permit inter-interface' however I'm 99% sure it's something to do with NAT.   I tried toggling NAT control to no avail.  

Any help is appreciated.  Config it attached.  
ASA Version 7.2(4)
hostname XXXX
domain-name default.domain.invalid
enable password XXX encrypted
passwd XXX encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Vlan2
 nameif outside
 security-level 0
 ip address XXXXX
 ospf cost 10
interface Vlan3
 nameif office2
 security-level 100
 ip address
 ospf cost 10
interface Vlan4
 nameif Office
 security-level 100
 ip address
interface Vlan5
 nameif guestwifi
 security-level 1
 ip address
interface Vlan6
 nameif Voice
 security-level 3
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
 switchport access vlan 3
interface Ethernet0/3
 switchport access vlan 4
interface Ethernet0/4
 switchport access vlan 5
interface Ethernet0/5
 switchport access vlan 6
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any host XXXX eq www
access-list outside_access_in extended permit tcp any host XXXX eq https
access-list outside_access_in extended permit tcp any host XXXX eq ssh
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound extended permit ip any
access-list local_LAN_Access remark vpn clien local lan access
access-list local_LAN_Access standard permit
access-list tcp_traffic extended permit tcp any any
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
mtu office2 1500
mtu Office 1500
mtu Voice 1500
mtu guestwifi 1500
ip local pool PoolA mask
ip local pool poolb mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
nat (office2) 1
static (inside,outside) tcp interface https https netmask
static (inside,outside) tcp interface 8080 8080 netmask
static (inside,outside) tcp XXXX www www netmask
static (inside,outside) tcp XXXX https https netmask
static (inside,outside) tcp XXXX ssh ssh netmask
access-group outside_access_in in interface outside
route outside XXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http inside
authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
client-update enable
no vpn-addr-assign aaa
telnet inside
telnet timeout 5
ssh inside
ssh timeout 20
console timeout 0
management-access inside
dhcpd dns
dhcpd lease 43200
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside
dhcpd address office2
dhcpd enable office2
dhcpd address Office
dhcpd enable Office
dhcpd address Voice
dhcpd enable Voice
dhcpd address guestwifi
dhcpd enable guestwifi

Open in new window

1 Solution

Your no nat rules specify to nat anything from, and, is not assigned on this firewall. Also,  your rules state not to nat from any internal network to, and,

What traffic inside to inside do you want to allow through?  not all use the same internal security level., for example vlan 5 and 6.

harbor235 ;}

wrinklefreeAuthor Commented:
I only want the same security levels to provide inter vlan routing.  

I figured out the problem, and it was NAT.  Even with NAT control disabled, with the ASA if you're using any kind of dynamic NAT, you'll need to setup either exemptions or static NAT rules for interVLAN communication.  Once I did that it's working fine.  
Ernie BeekExpertCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

Tackle projects and never again get stuck behind a technical roadblock.
Join Now