Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 981
  • Last Modified:

ASA 5505 inter-vlan routing

I am trying to set up inter-VLAN routing on my ASA 5505.  I have configured the 2 NAT policies and ran the  same-security-traffic permit inter-interface command, since both networks are security level 100.  Am I missing anything else here?  When I ping an "inside" address from the "phones" VLAN I do not get a reply, the same is true for reversing that test.  I have tried with the "no nat-control" command as well, to no avail.

I have some VPN SA's coming into this and I don't want to break those in the process.

Here is a snip of my running config:
interface Ethernet0/0
 switchport trunk allowed vlan 1,200
 switchport trunk native vlan 1
 switchport mode trunk
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan200
 nameif phones
 security-level 100
 ip address 10.0.10.1 255.255.255.0
!
access-list nonat-inside extended permit ip any 192.168.0.0 255.255.0.0
nat (inside) 0 access-list nonat-inside
nat (inside) 1 192.168.1.0 255.255.255.0
nat (phones) 1 0.0.0.0 0.0.0.0
static (inside,phones) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (phones,inside) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Open in new window

0
LouisvilleGeek
Asked:
LouisvilleGeek
1 Solution
 
pclinuxguruCommented:
My guess would be a route is missing.

What does it say when you do try to ping?
0
 
FizicistCommented:
This sounds like a router-on-a-stick configuration which Cisco has documented.  This involves a switch that can handle VLANs and dot1q trunk encapsulation.  Since you only have one network configured in your example, I'd ask what the setup is on the switch where you separated the VLANs.  Do you have a port that's setup as a trunk that will pass both VLANs to the ASA 5505.  If your ASA lic. allows, have you tried to make sub-interfaces.  I read on Cisco that you need Security Plus license to get sub-interfaces.
Maybe the router solution can give you an idea of how to setup the ASA 5505.
0
 
LouisvilleGeekAuthor Commented:
The ethernet 0/0 port is trunked to the switch.  The switch carries both VLAN's.  When I try to ping across the interfaces on the asa there are timeouts.  

In this case I trying to ping locally on the ASA accross the 2 vlan interfaces from each other.

For example I running "ping phones 192.168.1.1" and "ping inside 10.0.10.1"  both result in timeouts.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
SHEEPCommented:
Remove the nat and static commands you don't wan't to nat you want to route.

On that note can you post the result of
sh route
0
 
LouisvilleGeekAuthor Commented:
Sheep, I have to do some kind of NAT for the phones VLAN or else they can't get out the Internet.. am I missing something here?

Gateway of last resort is 89.92.71.1 to network 0.0.0.0

C    89.92.71.2 255.255.255.240 is directly connected, isp
C    10.0.10.0 255.255.255.0 is directly connected, phones
C    192.168.1.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [128/0] via 89.92.71.1, isp

Open in new window

0
 
SHEEPCommented:
Don't think so, NAT and VOIP don't go along too well due to some devices having enabled by default something called SIP ALG.
 
look in your configuration to see if you have
inspect sip

Open in new window

if you have remove it. if you don't have the add it
#conf t
(config)#policy-map global_policy
(config-pmap)#class inspection_default
(config-pmap-c)#inspect sip

Open in new window

You shouldn't need to add any NAT rules for your VOIP clients connect to a VOIP server somewhere in the internet, just make sure that you configure them with the ASA as the default gateway 10.0.10.1.
0
 
LouisvilleGeekAuthor Commented:
Abandoned question.  Closing ticket.
0
 
LouisvilleGeekAuthor Commented:
Abandoned question.  Closing.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now