Seconet
asked on
ASA 5505 no traffic between vlans
Dear,
Whe bought a Cisco ASA 5505 and i made a new network plan, i have planned 4 vlans vlan 10,20,30,40
My problem is that i cant get traffic from for example vlan10 iprange 10.0.1.0 to vlan20 ip range 10.0.2.0.
For testing purposes i changed all security levels to equal and enabled the "same-security-traffic permit inter-interface"
i am quit new to the cisco device so any comments are welcome
attached is my running conf
Whe bought a Cisco ASA 5505 and i made a new network plan, i have planned 4 vlans vlan 10,20,30,40
My problem is that i cant get traffic from for example vlan10 iprange 10.0.1.0 to vlan20 ip range 10.0.2.0.
For testing purposes i changed all security levels to equal and enabled the "same-security-traffic permit inter-interface"
i am quit new to the cisco device so any comments are welcome
attached is my running conf
hostname ciscoasa
enable password encrypted encrypted
passwd encrypted encrypted
names
name external ip a50-outside description outside
name external ip a51-outside description web
name external ip a52-outside description kantoor
name 10.0.2.29 act-oo description ACT server
name 10.0.2.49 davilex description Davilex werkstation
name 10.0.2.40 dc1 description domeincontroller
name 10.0.2.31 exchange-server description mailserver exchange
name 10.0.2.43 mail1 description Mailserver exchange
name 10.0.2.23 nas-server description nas-server
name 10.0.2.52 node2 description terminal server 2
name 10.0.2.54 node3 description terminal server 3
name 10.0.2.42 sql1 description SQL server
name 10.0.2.41 ts1 description Terminal server
name 10.0.2.204 vcenter description Vitrual centre
name 10.0.3.100 web1 description webserver
name 10.0.2.247 wsoo1 description werkstation tjeerd
name 10.2.0.248 wsoo2 description werkstation Brenda
name 10.2.0.249 wsoo3 description werkstation Arno
name 10.2.0.251 wsoo4 description werkstation Elieke
name 10.0.2.22 xytrium description terminal server Xytrium
name 10.0.2.243 wssec01 description Werkstation Bob
name 10.0.2.245 wssec02 description Werkstation Ronald
name external ip Exofilter1 description mailrelay ip1
name external ip Exofilter2 description tweede ip exofilter
name 192.168.1.222 backup_server
name external ip a71-outside-backup
name external ip a72-outside-backup
name external ip a80-outside-backup
name 10.0.2.45 ssl
name externalip a58-outside
name external ip a78_outside-backup
!
interface Vlan1
nameif inside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface Vlan2
backup interface Vlan52
nameif outside
security-level 0
ip address a50-outside 255.255.255.240
!
interface Vlan10
nameif inside_extern
security-level 0
ip address 10.0.1.2 255.255.255.0
!
interface Vlan20
nameif inside_kantoor
security-level 0
ip address 10.0.2.2 255.255.255.0
!
interface Vlan30
nameif inside_web
security-level 100
ip address 10.0.3.2 255.255.255.0
!
interface Vlan40
nameif inside_mgt
security-level 100
ip address 10.0.4.2 255.255.255.0
!
interface Vlan52
nameif outside_backup
security-level 0
ip address external ip 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 52
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 20
!
interface Ethernet0/4
switchport access vlan 30
!
interface Ethernet0/5
switchport access vlan 40
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq pop3
port-object eq 3389
port-object eq www
object-group service DM_INLINE_TCP_2 tcp
port-object eq 444
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq https
port-object eq pop3
port-object eq 3389
object-group service DM_INLINE_TCP_4 tcp
port-object eq 444
port-object eq https
access-list inside_extern_access_in extended permit ip any any
access-list outside_access_in remark pop3 toegang exchange
access-list outside_access_in remark https toegang exchange
access-list outside_access_in remark rdp toegang node2
access-list outside_access_in extended permit tcp any host a50-outside object-group DM_INLINE_TCP_1
access-list outside_access_in remark smtp toegang tot exchange-server
access-list outside_access_in extended permit tcp any host a50-outside eq smtp
access-list outside_access_in remark https toegang tot exchange server; ssl-vpn naar adito over poort 444
access-list outside_access_in extended permit tcp any host a52-outside object-group DM_INLINE_TCP_2
access-list outside_access_in remark smtp toegang tot mail1 voor exofilter1&exofilter2
access-list outside_access_in extended permit tcp any host a52-outside eq smtp
access-list outside_access_in remark https toegang tot webserver
access-list outside_access_in extended permit tcp any host a51-outside eq https
access-list inside_kantoor_access_in extended permit ip any any
access-list inside_web_access_in extended permit ip any any
access-list outside_backup_access_in remark pop3 toegang exchange
access-list outside_backup_access_in remark https toegang exchange
access-list outside_backup_access_in remark rdp toegang node2 (backp ip)
access-list outside_backup_access_in extended permit tcp any host a80-outside-backup object-group DM_INLINE_TCP_3
access-list outside_backup_access_in remark smtp toegang tot exchange-server (backup ip)
access-list outside_backup_access_in extended permit tcp any host a80-outside-backup eq smtp
access-list outside_backup_access_in remark https toegang tot exchange server; ssl-vpn naar adito over poort 444 (backup ip)
access-list outside_backup_access_in extended permit tcp any host a72-outside-backup object-group DM_INLINE_TCP_4
access-list outside_backup_access_in remark smtp toegang tot mail1 voor exofilter1&exofilter2 (backup ip)
access-list outside_backup_access_in extended permit tcp any host a72-outside-backup eq smtp
access-list outside_backup_access_in remark https toegang tot webserver (backup ip)
access-list outside_backup_access_in extended permit tcp any host a71-outside-backup eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside_mgt 1500
mtu inside_kantoor 1500
mtu inside_web 1500
mtu inside_extern 1500
mtu outside_backup 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any inside_mgt
icmp permit any inside_kantoor
icmp permit any inside_web
icmp permit any inside_extern
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 a52-outside netmask 255.0.0.0
global (outside) 3 a51-outside netmask 255.0.0.0
global (outside) 4 a58-outside netmask 255.0.0.0
global (outside_backup) 1 interface
global (outside_backup) 2 a72-outside-backup netmask 255.0.0.0
global (outside_backup) 3 a71-outside-backup netmask 255.0.0.0
global (outside_backup) 4 a78_outside-backup netmask 255.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside_mgt) 4 0.0.0.0 0.0.0.0
nat (inside_kantoor) 1 0.0.0.0 0.0.0.0
nat (inside_web) 3 0.0.0.0 0.0.0.0
nat (inside_extern) 1 0.0.0.0 0.0.0.0
static (inside_kantoor,outside) tcp a52-outside https mail1 https netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp a72-outside-backup https mail1 https netmask 255.255.255.255
static (inside_kantoor,outside) tcp interface 444 ssl 444 netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp interface 444 ssl 444 netmask 255.255.255.255
static (inside_kantoor,outside) tcp a52-outside smtp mail1 smtp netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp a72-outside-backup smtp mail1 smtp netmask 255.255.255.255
static (inside_kantoor,outside) tcp interface https exchange-server https netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp interface https exchange-server https netmask 255.255.255.255
static (inside_kantoor,outside) tcp interface www exchange-server www netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp interface www exchange-server www netmask 255.255.255.255
static (inside_kantoor,outside) tcp interface pop3 exchange-server pop3 netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp interface pop3 exchange-server pop3 netmask 255.255.255.255
static (inside_kantoor,outside) tcp interface smtp exchange-server smtp netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp interface smtp exchange-server smtp netmask 255.255.255.255
static (inside_kantoor,outside) tcp interface 3389 node2 3389 netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp interface 3389 node2 3389 netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp a71-outside-backup https act-oo https netmask 255.255.255.255
static (inside_kantoor,outside) tcp a51-outside https act-oo https netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_kantoor_access_in in interface inside_kantoor
access-group inside_web_access_in in interface inside_web
access-group inside_extern_access_in in interface inside_extern
access-group outside_backup_access_in in interface outside_backup
route outside 0.0.0.0 0.0.0.0 external ip 1
route outside_backup 0.0.0.0 0.0.0.0 external ip 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bdbcdf745abb91a913ac037b43ce2660
: end
I don't see anything wrong. Do the devices you're trying to reach in the different VLANs use the ASA as their default gateway? If not, do they know where the other subnets are located?
ASKER
Jmeggers
Yes clients are configured with static ip's and def gateway is the interface address of the asa. The clients dont have any static routes because all the networks are directly connected to the asa so i mentioned that extra static route's are useless.
any other suggestions ?
Yes clients are configured with static ip's and def gateway is the interface address of the asa. The clients dont have any static routes because all the networks are directly connected to the asa so i mentioned that extra static route's are useless.
any other suggestions ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Jmeggers
Thanks for your reply i will try your solution today, sounds like the solution because my other dynamic nat rules are only for traffic to the outside interfaces.
Thanks for your reply i will try your solution today, sounds like the solution because my other dynamic nat rules are only for traffic to the outside interfaces.
ASKER
Hey Guý's
Status update, after i copied jmeggers command into the ASA i can ping between inside (192.168.2.0/24) and inside_kantoor (10.0.2.0/24) but not between other networks... i have added the running config again,
all comments are welcome
Thanks in advance
Status update, after i copied jmeggers command into the ASA i can ping between inside (192.168.2.0/24) and inside_kantoor (10.0.2.0/24) but not between other networks... i have added the running config again,
all comments are welcome
Thanks in advance
hostname ciscoasa
enable password
passwd
names
name 111 a50-outside description outside
name 111 a51-outside description web
name 111 a52-outside description kantoor
name 10.0.2.29 act-oo description ACT server
name 10.0.2.49 davilex description Davilex werkstation
name 10.0.2.40 dc1 description domeincontroller
name 10.0.2.31 exchange-server description mailserver exchange
name 10.0.2.43 mail1 description Mailserver exchange
name 10.0.2.23 nas-server description nas-server
name 10.0.2.52 node2 description terminal server 2
name 10.0.2.54 node3 description terminal server 3
name 10.0.2.42 sql1 description SQL server
name 10.0.2.41 ts1 description Terminal server
name 10.0.2.204 vcenter description Vitrual centre
name 10.0.3.100 web1 description webserver
name 10.0.2.247 wsoo1 description werkstation tjeerd
name 10.0.2.22 description terminal server Xytrium
name 10.0.2.243 wssec01 description Werkstation Bob
name 10.0.2.245 wssec02 description Werkstation Ronald
name 192.168.1.222 backup_server
name 111a71-outside-backup
name 111 a72-outside-backup
name 111 a80-outside-backup
name 10.0.2.45 ssl
name 111 a58-outside
name 111 a78_outside-backup
!
interface Vlan1
nameif inside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface Vlan2
backup interface Vlan52
nameif outside
security-level 0
ip address a50-outside 255.255.255.240
!
interface Vlan10
shutdown
nameif inside_extern
security-level 0
ip address 10.0.1.2 255.255.255.0
!
interface Vlan20
nameif inside_kantoor
security-level 0
ip address 10.0.2.2 255.255.255.0
!
interface Vlan30
nameif inside_web
security-level 0
ip address 10.0.3.2 255.255.255.0
!
interface Vlan40
shutdown
nameif inside_mgt
security-level 0
ip address 10.0.4.2 255.255.255.0
!
interface Vlan52
nameif outside_backup
security-level 0
ip address outside ip 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 52
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 20
!
interface Ethernet0/4
switchport access vlan 30
!
interface Ethernet0/5
switchport access vlan 40
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq pop3
port-object eq 3389
port-object eq www
object-group service DM_INLINE_TCP_2 tcp
port-object eq 444
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq https
port-object eq pop3
port-object eq 3389
object-group service DM_INLINE_TCP_4 tcp
port-object eq 444
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp eq pptp
access-list inside_extern_access_in extended permit ip any any
access-list outside_access_in remark pptp toegang tot nas-server (VPN verbindingen)
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host a50-outside
access-list outside_access_in remark pop3 toegang exchange
access-list outside_access_in remark https toegang exchange
access-list outside_access_in remark rdp toegang node2
access-list outside_access_in extended permit tcp any host a50-outside object-group DM_INLINE_TCP_1
access-list outside_access_in remark smtp toegang tot exchange-server
access-list outside_access_in extended permit tcp any host a50-outside eq smtp
access-list outside_access_in remark https toegang tot exchange server; ssl-vpn naar adito over poort 444
access-list outside_access_in extended permit tcp any host a52-outside object-group DM_INLINE_TCP_2
access-list outside_access_in remark smtp toegang tot mail1 voor exofilter1&exofilter2
access-list outside_access_in extended permit tcp any host a52-outside eq smtp
access-list outside_access_in remark https toegang tot webserver
access-list outside_access_in extended permit tcp any host a51-outside eq https
access-list inside_kantoor_access_in extended permit ip any any
access-list inside_web_access_in extended permit ip any any
access-list outside_backup_access_in remark pop3 toegang exchange
access-list outside_backup_access_in remark https toegang exchange
access-list outside_backup_access_in remark rdp toegang node2 (backp ip)
access-list outside_backup_access_in extended permit tcp any host a80-outside-backup object-group DM_INLINE_TCP_3
access-list outside_backup_access_in remark smtp toegang tot exchange-server (backup ip)
access-list outside_backup_access_in extended permit tcp any host a80-outside-backup eq smtp
access-list outside_backup_access_in remark https toegang tot exchange server; ssl-vpn naar adito over poort 444 (backup ip)
access-list outside_backup_access_in extended permit tcp any host a72-outside-backup object-group DM_INLINE_TCP_4
access-list outside_backup_access_in remark smtp toegang tot mail1 voor exofilter1&exofilter2 (backup ip)
access-list outside_backup_access_in extended permit tcp any host a72-outside-backup eq smtp
access-list outside_backup_access_in remark https toegang tot webserver (backup ip)
access-list outside_backup_access_in extended permit tcp any host a71-outside-backup eq https
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list inside_access_in extended permit ip any any
access-list inside_kantoor_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside_mgt 1500
mtu inside_kantoor 1500
mtu inside_web 1500
mtu inside_extern 1500
mtu outside_backup 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any inside_mgt
icmp permit any inside_kantoor
icmp permit any inside_web
icmp permit any inside_extern
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 a52-outside netmask 255.0.0.0
global (outside) 3 a51-outside netmask 255.0.0.0
global (outside) 4 a58-outside netmask 255.0.0.0
global (outside_backup) 1 interface
global (outside_backup) 2 a72-outside-backup netmask 255.0.0.0
global (outside_backup) 3 a71-outside-backup netmask 255.0.0.0
global (outside_backup) 4 a78_outside-backup netmask 255.0.0.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside_mgt) 0 access-list nonat
nat (inside_mgt) 4 0.0.0.0 0.0.0.0
nat (inside_kantoor) 0 access-list nonat
nat (inside_kantoor) 1 0.0.0.0 0.0.0.0
nat (inside_web) 3 0.0.0.0 0.0.0.0
nat (inside_extern) 0 access-list nonat
nat (inside_extern) 1 0.0.0.0 0.0.0.0
static (inside_kantoor,outside) tcp interface pptp nas-server pptp netmask 255.255.255.255
static (inside_kantoor,outside) tcp a52-outside https mail1 https netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp a72-outside-backup https mail1 https netmask 255.255.255.255
static (inside_kantoor,outside) tcp interface 444 ssl 444 netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp interface 444 ssl 444 netmask 255.255.255.255
static (inside_kantoor,outside) tcp a52-outside smtp mail1 smtp netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp a72-outside-backup smtp mail1 smtp netmask 255.255.255.255
static (inside_kantoor,outside) tcp interface https exchange-server https netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp interface https exchange-server https netmask 255.255.255.255
static (inside_kantoor,outside) tcp interface www exchange-server www netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp interface www exchange-server www netmask 255.255.255.255
static (inside_kantoor,outside) tcp interface pop3 exchange-server pop3 netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp interface pop3 exchange-server pop3 netmask 255.255.255.255
static (inside_kantoor,outside) tcp interface smtp exchange-server smtp netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp interface smtp exchange-server smtp netmask 255.255.255.255
static (inside_kantoor,outside) tcp interface 3389 node2 3389 netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp interface 3389 node2 3389 netmask 255.255.255.255
static (inside_kantoor,outside_backup) tcp a71-outside-backup https act-oo https netmask 255.255.255.255
static (inside_kantoor,outside) tcp a51-outside https act-oo https netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_kantoor_access_in in interface inside_kantoor
access-group inside_web_access_in in interface inside_web
access-group inside_extern_access_in in interface inside_extern
access-group outside_backup_access_in in interface outside_backup
route outside 0.0.0.0 0.0.0.0 62.177.186.49 1
route outside_backup 0.0.0.0 0.0.0.0 178.250.193.66 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http 10.0.2.62 255.255.255.255 inside_kantoor
http wssec01 255.255.255.255 inside_kantoor
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
ASKER
Hey Guy's
Problem solved, Jmeggers pushed me in the right direction with the NAT Excempt rules, i made nat excemt rules for each inside interface where i want to have traffic to another inside interface !
Thanks
Problem solved, Jmeggers pushed me in the right direction with the NAT Excempt rules, i made nat excemt rules for each inside interface where i want to have traffic to another inside interface !
Thanks
ASKER
This sloution pushed me in the right direction !