Solved

ASA 5505 inter-vlan routing

Posted on 2012-03-29
8
962 Views
Last Modified: 2012-04-24
I am trying to set up inter-VLAN routing on my ASA 5505.  I have configured the 2 NAT policies and ran the  same-security-traffic permit inter-interface command, since both networks are security level 100.  Am I missing anything else here?  When I ping an "inside" address from the "phones" VLAN I do not get a reply, the same is true for reversing that test.  I have tried with the "no nat-control" command as well, to no avail.

I have some VPN SA's coming into this and I don't want to break those in the process.

Here is a snip of my running config:
interface Ethernet0/0
 switchport trunk allowed vlan 1,200
 switchport trunk native vlan 1
 switchport mode trunk
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan200
 nameif phones
 security-level 100
 ip address 10.0.10.1 255.255.255.0
!
access-list nonat-inside extended permit ip any 192.168.0.0 255.255.0.0
nat (inside) 0 access-list nonat-inside
nat (inside) 1 192.168.1.0 255.255.255.0
nat (phones) 1 0.0.0.0 0.0.0.0
static (inside,phones) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (phones,inside) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Open in new window

0
Comment
Question by:LouisvilleGeek
8 Comments
 
LVL 10

Expert Comment

by:pclinuxguru
Comment Utility
My guess would be a route is missing.

What does it say when you do try to ping?
0
 
LVL 2

Expert Comment

by:Fizicist
Comment Utility
This sounds like a router-on-a-stick configuration which Cisco has documented.  This involves a switch that can handle VLANs and dot1q trunk encapsulation.  Since you only have one network configured in your example, I'd ask what the setup is on the switch where you separated the VLANs.  Do you have a port that's setup as a trunk that will pass both VLANs to the ASA 5505.  If your ASA lic. allows, have you tried to make sub-interfaces.  I read on Cisco that you need Security Plus license to get sub-interfaces.
Maybe the router solution can give you an idea of how to setup the ASA 5505.
0
 

Author Comment

by:LouisvilleGeek
Comment Utility
The ethernet 0/0 port is trunked to the switch.  The switch carries both VLAN's.  When I try to ping across the interfaces on the asa there are timeouts.  

In this case I trying to ping locally on the ASA accross the 2 vlan interfaces from each other.

For example I running "ping phones 192.168.1.1" and "ping inside 10.0.10.1"  both result in timeouts.
0
 
LVL 1

Expert Comment

by:SHEEP
Comment Utility
Remove the nat and static commands you don't wan't to nat you want to route.

On that note can you post the result of
sh route
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:LouisvilleGeek
Comment Utility
Sheep, I have to do some kind of NAT for the phones VLAN or else they can't get out the Internet.. am I missing something here?

Gateway of last resort is 89.92.71.1 to network 0.0.0.0

C    89.92.71.2 255.255.255.240 is directly connected, isp
C    10.0.10.0 255.255.255.0 is directly connected, phones
C    192.168.1.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [128/0] via 89.92.71.1, isp

Open in new window

0
 
LVL 1

Expert Comment

by:SHEEP
Comment Utility
Don't think so, NAT and VOIP don't go along too well due to some devices having enabled by default something called SIP ALG.
 
look in your configuration to see if you have
inspect sip

Open in new window

if you have remove it. if you don't have the add it
#conf t
(config)#policy-map global_policy
(config-pmap)#class inspection_default
(config-pmap-c)#inspect sip

Open in new window

You shouldn't need to add any NAT rules for your VOIP clients connect to a VOIP server somewhere in the internet, just make sure that you configure them with the ASA as the default gateway 10.0.10.1.
0
 

Accepted Solution

by:
LouisvilleGeek earned 0 total points
Comment Utility
Abandoned question.  Closing ticket.
0
 

Author Closing Comment

by:LouisvilleGeek
Comment Utility
Abandoned question.  Closing.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now