PMGIT
asked on
Cisco ASA 5510 Inter-intra Subnet/VLAN Communication
I am trying to get two internal networks talking with an ASA5510. I can't access 192.100.7.0/24 from 192.100.8.0/24 & vice-versa. I thought the "same-security-traffic permit inter-interface & same-security-traffic permit intra-interface" was supposed to allow this but I'm obviously missing something. The network is flat and I'm only trying to ping from one subnet to the other. I have the PC's in the .7 & .8 subnets physically connected to the same switch and pointed to each respective gateway - see relevant config below.
ASA Version 8.0(4)
interface Ethernet0/0
speed 1000
nameif OUTSIDE
security-level 0
ip address 200.200.200.254 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
speed 1000
nameif INSIDE
security-level 100
ip address 192.100.7.254 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.100
vlan 100
nameif V1
security-level 100
ip address 192.100.8.254 255.255.255.0
!
interface Ethernet0/2.200
vlan 200
nameif V2
security-level 100
ip address 192.100.9.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address
ospf cost 10
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server MY DNS SERVER
domain-name MY DOMAIN NAME
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_6
network-object xxx.xxx.xxx
network-object host xxx.xxx.xxx
access-list OUTSIDE_access_in extended permit object-group DM_INLINE_PROTOCOL
access-list OUTSIDE_access_in remark
access-list INSIDE_nat0_outbound remark
access-list INSIDE_nat0_outbound extended permit xxx.xxx.xxx
access-list INSIDE_nat0_outbound remark
nat-control
global (OUTSIDE) 101 200.200.200.253 netmask 255.255.255.0
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 101 0.0.0.0 0.0.0.0
nat (V1) 101 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) tcp xxx.xxx.xxx https INTERNAL SERVER https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp xxx.xxx.xxx https INTERNAL SERVER https netmask 255.255.255.255
static (INSIDE,OUTSIDE) REPLACED NAME access-list policy_nat
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 200.200.200.1
more crypto & vpn transform-set stuff
ASA Version 8.0(4)
interface Ethernet0/0
speed 1000
nameif OUTSIDE
security-level 0
ip address 200.200.200.254 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
speed 1000
nameif INSIDE
security-level 100
ip address 192.100.7.254 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.100
vlan 100
nameif V1
security-level 100
ip address 192.100.8.254 255.255.255.0
!
interface Ethernet0/2.200
vlan 200
nameif V2
security-level 100
ip address 192.100.9.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address
ospf cost 10
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server MY DNS SERVER
domain-name MY DOMAIN NAME
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_6
network-object xxx.xxx.xxx
network-object host xxx.xxx.xxx
access-list OUTSIDE_access_in extended permit object-group DM_INLINE_PROTOCOL
access-list OUTSIDE_access_in remark
access-list INSIDE_nat0_outbound remark
access-list INSIDE_nat0_outbound extended permit xxx.xxx.xxx
access-list INSIDE_nat0_outbound remark
nat-control
global (OUTSIDE) 101 200.200.200.253 netmask 255.255.255.0
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 101 0.0.0.0 0.0.0.0
nat (V1) 101 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) tcp xxx.xxx.xxx https INTERNAL SERVER https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp xxx.xxx.xxx https INTERNAL SERVER https netmask 255.255.255.255
static (INSIDE,OUTSIDE) REPLACED NAME access-list policy_nat
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 200.200.200.1
more crypto & vpn transform-set stuff
lruiz52
Have you checked the firewall settings on the pc's, verify that ping is not blocked. Also try reloading the ASA, YOU SHOULDN't have to, but I've seen it clear up issues.
Also, do you have the security plus license on this ASA?
Hi,
You need:
access-list INSIDE_nat0_outbound extended permit ip 192.100.7.0 255.255.255.0 192.100.8.0 255.255.255.0
You need:
access-list INSIDE_nat0_outbound extended permit ip 192.100.7.0 255.255.255.0 192.100.8.0 255.255.255.0
ASKER
Hi and thanks to both -
lruiz - firewall's are off on both pc's in question and ASA has been reloaded twice.
ikalmar - I added the access list above, but I get the same error in the fw log <192.100.8.5 No translation group found for icmp src INSIDE:PC1 dst V1:192.100.8.5 (type 8, code 0)>
This is very strange - and again, I thought the
"same-security-traffic permit inter-interface & same-security-traffic permit intra-interface" was supposed to allow this type of subnet traversal?
Could it have anything to do with the fact that .8 is a sub-interface (VLAN) so the ASA thinks it should or is tagging packets?
lruiz - firewall's are off on both pc's in question and ASA has been reloaded twice.
ikalmar - I added the access list above, but I get the same error in the fw log <192.100.8.5 No translation group found for icmp src INSIDE:PC1 dst V1:192.100.8.5 (type 8, code 0)>
This is very strange - and again, I thought the
"same-security-traffic permit inter-interface & same-security-traffic permit intra-interface" was supposed to allow this type of subnet traversal?
Could it have anything to do with the fact that .8 is a sub-interface (VLAN) so the ASA thinks it should or is tagging packets?
Try this:
access-list NO_NAT_Inside_to_V1 extended permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list NO_NAT_V1_to_inside extended permit ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
nat (inside) 0 access-list NO_NAT_Inside_to_V1
nat (V1) 0 access-list NO_NAT_V1_to_inside
access-list NO_NAT_Inside_to_V1 extended permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list NO_NAT_V1_to_inside extended permit ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
nat (inside) 0 access-list NO_NAT_Inside_to_V1
nat (V1) 0 access-list NO_NAT_V1_to_inside
ASKER
Problem is that I already have nat (INSIDE) 0 access-list INSIDE_nat0_outbound which will then be replaced by nat (inside) 0 access-list NO_NAT_Inside_to_V1 at which point the rest of my existing xlates will stop working (I think). There has to be a better way than NO NAT (BTW: I thought that command was depricated?).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There were no acceptable responses, so after 2 months of trial and error I figured the problem out myself, then posted the correct answer.