Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 579
  • Last Modified:

ASA 5505 Routing InterVLANS with Linksys SRW248G4

Hello I have the following scenario: In the office I have an ASA 5505 Security Plus license with a switch cisco lynksys SRW248G4, I want to segment my network into 8 subnets 192.168.10.x, in my switch I have  8 vlan, one for each department and need everyone to communicate with each other, my goal is to divide my broadcast domain, each vlan I assign IP address through DHCP from my ASA 5505 that has a trunk port  which connects to a trunk port on my switch and trunk communication works well when I connect a computer to a vlan it gets its ip address from dhcp server on the asa 5505, my problem is that I can not make my vlans to communicate with each other, and I need internet access through the outside interface too, when I connect a computer to a VLAN, this computer is not able to communicate with another computer in other VLAN, which settings I have to do to allow this communication? this is my  running-config:

Result of the command: "show running-config"

: Saved
ASA Version 8.2(1)
hostname ASA5505
enable password .bh8cq0o encrypted
passwd 2KFQnbNIdI.YOU encrypted
interface Vlan1
 nameif Server
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
interface Vlan20
 nameif Depto1
 security-level 100
 ip address
interface Vlan30
 nameif Depto2
 security-level 100
 ip address
interface Vlan40
 nameif Depto3
 security-level 100
 ip address
interface Vlan50
 nameif Depto4
 security-level 100
 ip address
interface Vlan60
 nameif Depto5
 security-level 100
 ip address
interface Vlan70
 nameif Depto6
 security-level 100
 ip address
interface Vlan80
 nameif Depto7
 security-level 100
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
 switchport trunk allowed vlan 1,10,20,30,40,50,60,70,80
 switchport trunk native vlan 1
 switchport mode trunk
 speed 100
 duplex full
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner motd Hi
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Depto1_access_in extended permit icmp any any
access-list Server_access_in extended permit icmp any any
access-list Server_access_in extended permit ip any any
access-list Depto2_access_in extended permit icmp any any
access-list Depto4_access_in extended permit icmp any any
access-list Depto3_access_in extended permit icmp any any
access-list Depto5_access_in extended permit icmp any any
access-list Depto6_access_in extended permit icmp any any
access-list Depto7_access_in extended permit icmp any any
access-list acl_in extended permit tcp any any
access-list acl_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu Server 1500
mtu outside 1500
mtu Depto1 1500
mtu Depto2 1500
mtu Depto3 1500
mtu Depto4 1500
mtu Depto5 1500
mtu Depto6 1500
mtu Depto7 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Server
icmp permit any Depto1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group acl_in in interface Server
access-group Depto1_access_in in interface Depto1
access-group Depto3_access_in in interface Depto2
access-group Depto5_access_in in interface Depto3
access-group Depto6_access_in in interface Depto4
access-group Depto2_access_in in interface Depto5
access-group Depto7_access_in in interface Depto6
access-group Depto4_access_in in interface Depto7
route outside 1
route Depto1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Server
http Depto1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Server
dhcpd auto_config outside
dhcpd address Server
dhcpd enable Server
dhcpd address Depto1
dhcpd enable Depto1
dhcpd address Depto2
dhcpd enable Depto2
dhcpd address Depto3
dhcpd enable Depto3
dhcpd address Depto4
dhcpd enable Depto4
dhcpd address Depto5
dhcpd enable Depto5
dhcpd address Depto6
dhcpd enable Depto6
dhcpd address Depto7
dhcpd enable Depto7

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username Admin password dgL/aM5ybE2cn encrypted
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end

thank you very much
1 Solution
You need to create access lists that allow the VLANs to talk to eachother.  this is very simple to do with ASDM.  this is another EE post that might help out.
Remove this route:
route Depto1 1
This doesn't make any sense as Depto1 interface is in that network.

And issue:
no nat-control

It should fix your problem.

fernozAuthor Commented:
I finally complete my implementation, for asa 5505 I use access lists, NAT rules and NAT exception rules for the access to internet, and this work fine, I was experimenting some lag in ftp, but I don´t  know what is.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now