Solved

ASA 5505 inter-vlan routing

Posted on 2012-03-29
8
963 Views
Last Modified: 2012-04-24
I am trying to set up inter-VLAN routing on my ASA 5505.  I have configured the 2 NAT policies and ran the  same-security-traffic permit inter-interface command, since both networks are security level 100.  Am I missing anything else here?  When I ping an "inside" address from the "phones" VLAN I do not get a reply, the same is true for reversing that test.  I have tried with the "no nat-control" command as well, to no avail.

I have some VPN SA's coming into this and I don't want to break those in the process.

Here is a snip of my running config:
interface Ethernet0/0
 switchport trunk allowed vlan 1,200
 switchport trunk native vlan 1
 switchport mode trunk
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan200
 nameif phones
 security-level 100
 ip address 10.0.10.1 255.255.255.0
!
access-list nonat-inside extended permit ip any 192.168.0.0 255.255.0.0
nat (inside) 0 access-list nonat-inside
nat (inside) 1 192.168.1.0 255.255.255.0
nat (phones) 1 0.0.0.0 0.0.0.0
static (inside,phones) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (phones,inside) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Open in new window

0
Comment
Question by:LouisvilleGeek
8 Comments
 
LVL 10

Expert Comment

by:pclinuxguru
ID: 37784334
My guess would be a route is missing.

What does it say when you do try to ping?
0
 
LVL 2

Expert Comment

by:Fizicist
ID: 37785156
This sounds like a router-on-a-stick configuration which Cisco has documented.  This involves a switch that can handle VLANs and dot1q trunk encapsulation.  Since you only have one network configured in your example, I'd ask what the setup is on the switch where you separated the VLANs.  Do you have a port that's setup as a trunk that will pass both VLANs to the ASA 5505.  If your ASA lic. allows, have you tried to make sub-interfaces.  I read on Cisco that you need Security Plus license to get sub-interfaces.
Maybe the router solution can give you an idea of how to setup the ASA 5505.
0
 

Author Comment

by:LouisvilleGeek
ID: 37788144
The ethernet 0/0 port is trunked to the switch.  The switch carries both VLAN's.  When I try to ping across the interfaces on the asa there are timeouts.  

In this case I trying to ping locally on the ASA accross the 2 vlan interfaces from each other.

For example I running "ping phones 192.168.1.1" and "ping inside 10.0.10.1"  both result in timeouts.
0
 
LVL 1

Expert Comment

by:SHEEP
ID: 37788675
Remove the nat and static commands you don't wan't to nat you want to route.

On that note can you post the result of
sh route
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:LouisvilleGeek
ID: 37800872
Sheep, I have to do some kind of NAT for the phones VLAN or else they can't get out the Internet.. am I missing something here?

Gateway of last resort is 89.92.71.1 to network 0.0.0.0

C    89.92.71.2 255.255.255.240 is directly connected, isp
C    10.0.10.0 255.255.255.0 is directly connected, phones
C    192.168.1.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [128/0] via 89.92.71.1, isp

Open in new window

0
 
LVL 1

Expert Comment

by:SHEEP
ID: 37803528
Don't think so, NAT and VOIP don't go along too well due to some devices having enabled by default something called SIP ALG.
 
look in your configuration to see if you have
inspect sip

Open in new window

if you have remove it. if you don't have the add it
#conf t
(config)#policy-map global_policy
(config-pmap)#class inspection_default
(config-pmap-c)#inspect sip

Open in new window

You shouldn't need to add any NAT rules for your VOIP clients connect to a VOIP server somewhere in the internet, just make sure that you configure them with the ASA as the default gateway 10.0.10.1.
0
 

Accepted Solution

by:
LouisvilleGeek earned 0 total points
ID: 37866612
Abandoned question.  Closing ticket.
0
 

Author Closing Comment

by:LouisvilleGeek
ID: 37885312
Abandoned question.  Closing.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Add Mac address reservation to Sonicwall TZ 210 router 1 44
Configuring routing and ACL for Cisco 891 router 15 45
DHCP Server 14 62
Viber-Only Restriction 6 24
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now