Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

asa routing to vlan's on switch

Avatar of melfarit
melfaritFlag for Faroe Islands asked on
RoutersHardware FirewallsNetworking Hardware-Other
5 Comments1 Solution701 ViewsLast Modified:
Hi,

I'm trying to get my ASA 5505 (192.168.100.1) to route to 3 vlan's on a cisco switch (192.168.100.2). If I use a add route on the windows clients they can access the vlans fine. I they use the asa as default gateway they cannot not. The asa is dropping the packets. Guessing i miss a access list?

The 3 Vlans are:

192.168.150.0 255.255.255.0
192.168.200.0 255.255.255.0
192.168.250.0 255.255.255.0

TIA

LHC

interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.252
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.100.0_24
 subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_24
 subnet 192.168.50.0 255.255.255.0
object network NETWORK_OBJ_10.2.0.0_24
 subnet 10.2.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.2.0.1-10.2.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.2.0.0_24 NETWORK_OBJ_10.2.0.0_24 no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.150.0 255.255.255.0 192.168.100.2 1
route inside 192.168.200.0 255.255.255.0 192.168.100.2 1
route inside 192.168.250.0 255.255.255.0 192.168.100.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
e
ASKER CERTIFIED SOLUTION
Avatar of melfarit
melfaritFlag of Faroe Islands image

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Commented:
This problem has been solved!
Unlock 1 Answer and 5 Comments.
See Answers