Solved

ASA 5510 Trunking

Posted on 2014-01-09
15
592 Views
Last Modified: 2016-11-23
Hi all.  I am banging my head here.  I have an ASA 5510 with Security Plus and trying to configure a trunk port.  I can't tell if the Dell PowerConnect 5424 is the issue or my ASA config.  Here is the ASA config below. Is this the correct configuration?  I have a PC connected to an access port 22 which I tested and works with another access port 22 PC. When I ping from the PC to the 10.95.22.1 it does not go through.  I have added icmp permit storage as well. My PowerConnect is set for trunk mode and tagged with vlan 22.  I also added vlan 22 to the database.  I can get a trunk between two PowerConnects fine. Do I need a xover cable?

interface Ethernet0/1
 description 802.1q Trunk
 nameif trunk-test
 security-level 100
 no ip address
!
interface Ethernet0/1.22
 description Storage
 vlan 22
 nameif storage
 security-level 100
 ip address 10.95.22.1 255.255.255.0
0
Comment
Question by:lconnell
  • 7
  • 5
  • 3
15 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 39769986
Do a packet trace.
The problem is 99% acl related
0
 

Author Comment

by:lconnell
ID: 39770016
Ok I will try a packet trace.  There are no ACL's for that interface. Doesn't security-level 100 allow it through?
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 250 total points
ID: 39771241
first off get rid of the security-level on the physical port.  its not needed and can only mess things up.

second, security level only means something when a packet is going from one interface and out another.  not to the asa

third, make sure the interface on the asa is up using the 'no shutdown' command.  by default it is down.

fourth, ACLs don't matter in this case.  ACLs are for governing traffic that goes /through/ the ASA, not to it.  At least not ACLs applied to interfaces.

packet trace should definitely help in this case but will only state how the ASA will process the packet based on what the command is given.  It should at least show if anything is wrong on the ASA side of things though.  not necessarily on the switch side.  permit icmp is definitely what you use to allow icmp TO the asa so you're right there.

switch side you just need to make sure the port is 802.1q (i can't believe it would be anything else to be honest) and is trunk.  you say you did that so you should be fine.  you don't need a crossover cable between the switch and the asa.  a straight thru is what you want and assume you have right now.
0
 

Author Comment

by:lconnell
ID: 39772829
I got rid of the security level and nameif on e0/1. No ACL's are in place. I can ping vlan 22 ip from within the asa. I have the switch port trunked. I'm still having issues. The switch is a powerconnect from dell, so possibly that is problem.  I do have the trunk working between two dell switches though.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39773292
have you done the packet trace yet?  if so, please post the complete result of that test.  If that doesn't give any clues, the next step is to upload the ASA config (sanitized of course to remove passwords and the first 2 octets of any public IPs as well as any other names that might identify which organization this is for) as well as the config for the Dell switches.  I haven't worked with them before so if there isn't any text config, please upload the switch port configs via screen shots.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39773482
packet-tracer input inside tcp <source ip> 4444 <destination ip> 4444 detailed

Definitely some sort of ACL or Route issue. No ACL in place is similar (literarily) to a deny statement.
You need to create one and permit interesting traffic and assign the ACL to desired interface

Same level security traffic command is tied to a default (built-in ACL)
See if that is on
Show run same-security-traffic

If off, turn them on
hostname(config)# same-security-traffic permit inter-interface
hostname(config)# same-security-traffic permit intra-interface


Other possibilities
Check the firewall settings on the PC 10.95.22.1
- Firewal.cpl
- Allow a program or feature through Windows Firewall
- File and Printer sharing.
This setting, if unchecked for the network type, will not allow pings through

If that's out of the way
0
 

Author Comment

by:lconnell
ID: 39774110
Thanks for responses. same-security was turned on, both of them.

It's not a PC issue.

If I have to implicitly set an ACL to allow traffic that's on the same subnet/vlan then that would be the issue.  I didn't think I had to since it's the same subnet/vlan....? Below is a trimmed down config. I plug the trunked port allowing vlan 22 of the PowerConnect into e0/1. I have a PC on an access port of 22 on the PowerConnect. I can ping other access ports on vlan 22.  I can plug another PowerConnect into this PowerConnect on a trunk port and ping a PC across the trunk on the same vlan. I dont have access to the FW right now so I can't do a packet trace.

interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.89.101.1 255.255.255.0

interface Ethernet0/1
 no nameif
 no ip address

interface Ethernet0/1.22
 vlan 22
 nameif Storage
 security-level 100
 ip address 10.95.22.1 255.255.255.0

access-list inside_access_in extended permit ip any any

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


object network obj-10.89.101.0
 nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39774140
I would bet money this is not an ACL issue.  if no ACL is applied, then the security level is used to determine access control. (unless a global ACL is applied).  A security level of 100 can only be denied if you are trying to go between two interfaces with a level 100 set and you haven't configured same security level inter interface.  Regardless, interface ACLs do NOT apply to traffic destined for the ASA itself; only to traffic going THRU it.  so when no ACL is applied, default behavior is determined by security levels, but only for traffic thru the firewall.

allowing icmp traffic to the ASA is done via "permit icmp" which supposedly has already been done.  my guess is there is a trunking issue.

however without a complete config to know what is going on within the ASA or the dell switch its hard to know for sure.

it's stated " can ping vlan 22 ip from within the asa"
what does that mean? so from the asa you pinged the switch IP? or a pc on vlan 22?  just curious because if yes, then trunking and switches are configured fine and need to double check icmp is being permitted.

Without knowing how everything is configured its very difficult to know where the issue might be.  it could be the asa, but from you're saying about its configuration i would highly doubt it.  this is why i'm leaning toward the switches not configured right and why I would like to see the configuration there.  also, the entire asa config (sanitized of course) would be nice just so Akinsd and I can verify there isn't something else that might be affecting your ability to ping the asa's interface.
0
 

Author Comment

by:lconnell
ID: 39775013
Cyclops, I meant I could ping vlan 22 interface on the ASA from within the ASA. I took out all the crypto map stuff, see below.

names

name 10.81.14.10 clearchannel1
name 10.81.14.17 clearchannel2
name 10.81.14.16 clearchannel3
name 10.81.15.0 clearchannelnet2
name 10.81.14.0 clearchannelnet1
name 10.89.103.224 vpn-phones

name x.x.72.78 outside-nat-x.x.72.78

dns-guard
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.89.101.2 255.255.255.0
!
interface Ethernet0/0.16
 vlan 16
 nameif voice
 security-level 100
 ip address 10.89.103.2 255.255.255.0
!
interface Ethernet0/1
 no nameif
 no ip address
!
interface Ethernet0/1.22
 vlan 22
 nameif Storage
 ip address 10.95.22.1 255.255.255.0
!
interface Ethernet0/2
 nameif wireless
 security-level 10
 ip address 10.89.102.2 255.255.255.0
!
interface Ethernet0/3
 nameif outside
 security-level 0
 ip address x.x.72.77 255.255.255.240
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup voice
dns domain-lookup wireless
dns domain-lookup outside
dns domain-lookup management

access-list outside_cryptomap_1 extended permit ip interface outside object-group E-network
access-list inside_nat0_outbound extended permit ip 10.89.101.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip 10.89.101.0 255.255.255.0 object K-network
access-list inside_nat0_outbound extended permit ip 10.89.101.0 255.255.255.0 object-group clearchannel
access-list inside_nat0_outbound extended permit ip 10.89.101.0 255.255.255.0 object ofs-vpn-gateway
access-list sslvpn_client_unrestricted extended permit ip object sslvpn-client-network any
access-list outside_nat_outbound extended permit ip object sslvpn-client-network object-group MS-remote-networks
access-list sslvpn_tunnelednetworks remark Internal network
access-list sslvpn_tunnelednetworks standard permit 10.89.101.0 255.255.255.0
access-list sslvpn_tunnelednetworks remark D server network
access-list sslvpn_tunnelednetworks standard permit 172.23.35.0 255.255.255.0
access-list sslvpn_tunnelednetworks remark B office network
access-list sslvpn_tunnelednetworks standard permit 192.168.0.0 255.255.255.0
access-list sslvpn_tunnelednetworks remark E
access-list sslvpn_tunnelednetworks standard permit 192.168.89.0 255.255.255.0
access-list sslvpn_tunnelednetworks remark E
access-list sslvpn_tunnelednetworks standard permit 192.168.250.0 255.255.254.0
access-list sslvpn_client_F extended permit ip object sslvpn-client-network object-group F
access-list sslvpn_client_F extended permit object-group TCPUDP object sslvpn-client-network object-group sslvpn-dns-servers eq domain
access-list sslvpn_client_F remark Test-TEST
access-list sslvpn_client_F extended permit object-group TCPUDP object sslvpn-client-network object D-server-network
access-list outside_cryptomap extended permit ip 10.89.101.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_nat_outbound_1 extended permit ip object sslvpn-client-network 10.89.101.0 255.255.255.0
access-list outside_nat_outbound_1 extended permit ip object sslvpn-client-network object-group MS-remote-networks
access-list inside_nat_static extended permit tcp object files.MS.net-internal eq https any
access-list sslvpn_R_only extended permit ip object sslvpn-client-network 10.89.101.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.89.101.0 255.255.255.0 object K-network
access-list sslvpn_tunneled_Ronly remark Internal network
access-list sslvpn_tunneled_Ronly standard permit 10.89.101.0 255.255.255.0
access-list sslvpn_tunneled_Ronly remark D Network
access-list sslvpn_tunneled_Ronly standard permit 172.23.35.0 255.255.255.0
access-list sslvpn_tunneled_Ronly remark VPN Network
access-list sslvpn_tunneled_Ronly standard permit 172.23.36.0 255.255.255.0
access-list dmz_access_in extended permit ip object skles03 object D-skles-cnx
access-list inside_nat_static_1 extended permit tcp object w2k3iis-01.internal eq 81 object web-services-client
access-list inside_nat_outbound extended permit ip 10.89.101.0 255.255.255.0 172.23.33.0 255.255.255.0
access-list inside_nat_outbound extended permit ip object-group MS-remote-networks object sslvpn-client-network
access-list VPN-D extended permit object-group DM_INLINE_SERVICE_5 host 172.23.35.0 host 172.23.35.0
access-list vpnphone_tunneled standard permit any
access-list vpnphone extended permit ip object vpn-phones object-group clearchannel
access-list vpnphone extended permit ip object vpn-phones 10.89.103.0 255.255.255.0
access-list vpnphone extended permit ip object vpn-phones object B-voice-network
access-list voice_nat0_outbound extended permit ip object-group clearchannel object vpn-phones
access-list voice_nat0_outbound extended permit ip 10.89.103.0 255.255.255.0 object vpn-phones
access-list voice_access_in extended deny ip 10.89.103.0 255.255.255.0 object-group MS-all-networks
access-list voice_access_in extended permit ip 10.89.103.0 255.255.255.0 any
access-list voice_access_in extended permit ip object B-voice-network object vpn-phones
access-list voice_access_in extended permit ip object-group clearchannel object vpn-phones
access-list voice_access_in extended permit ip object-group clearchannel object TASKGSRV
access-list outside_nat0_outbound_1 extended permit ip object vpn-phones object-group clearchannel
access-list outside_nat0_outbound_1 extended permit ip object vpn-phones 10.89.103.0 255.255.255.0
access-list sslvpn_client_callcopy extended permit ip object sslvpn-client-network object-group CALLCOPY
access-list sslvpn_client_callcopy extended permit object-group TCPUDP object sslvpn-client-network object-group sslvpn-dns-servers eq domain
access-list sslvpn_E extended permit ip object sslvpn-client-network object-group E-network
access-list outside_cryptomap_5 extended permit ip object skles03 object D-skles-cnx
access-list outside_cryptomap_5 extended permit ip object sslvpn-client-network object D-server-network
access-list inside_nat_static_3 extended permit tcp object demo.MS.net-internal eq 3389 any
access-list inside_nat_static_4 extended permit udp object demo.MS.net-internal eq 3389 any
access-list outside_access_in extended permit ip object sslvpn-client-network object-group MS-all-networks
access-list outside_access_in extended permit ip object-group MS-remote-networks 10.89.101.0 255.255.255.0
access-list outside_access_in extended permit ip object D-skles-cnx object skles03
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object sslvpn-client-network object-group MS-all-networks
access-list outside_access_in extended permit ip object sslvpn-client-network object-group E-network
access-list outside_access_in extended permit tcp any object files.MS.net-internal eq https
access-list outside_access_in remark Migration, ACE (line 6) expanded: permit object-group TCPUDP any host outside-nat-107.1.72.78 eq
access-list outside_access_in extended permit udp any object demo.MS.net-internal eq 3389
access-list outside_access_in extended permit tcp any object demo.MS.net-internal eq 3389
access-list outside_access_in remark Migration: End of expansion
access-list outside_access_in extended permit tcp object web-services-client object w2k3iis-01.internal eq 81
access-list outside_access_in extended permit tcp any object project.MS.net-internal object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit object MSSQL-DB any object obj-10.89.101.214
access-list outside_access_in extended permit udp object-group site-to-site-vpn-tunnel-peers interface outside eq isakmp
access-list outside_access_in extended permit object ipsec-nat-t object-group site-to-site-vpn-tunnel-peers interface outside
access-list outside_access_in extended permit ah object-group site-to-site-vpn-tunnel-peers interface outside
access-list outside_access_in extended permit esp object-group site-to-site-vpn-tunnel-peers interface outside
access-list outside_access_in extended permit ip object-group OFS 10.89.101.0 255.255.255.0 inactive
access-list outside_access_in extended permit object-group TCPUDP object-group OFS object-group sslvpn-dns-servers eq domain inactive
access-list outside_access_in extended permit tcp object-group OFS object ki-nas object-group windows-file-sharing inactive
access-list outside_access_in extended permit ip object vpn-phones object-group clearchannel
access-list outside_access_in extended permit ip object vpn-phones 10.89.103.0 255.255.255.0
access-list outside_access_in extended permit ip object vpn-phones object B-voice-network
access-list outside_access_in extended permit tcp object ofs-vpn-gateway 10.89.101.0 255.255.255.0 object-group DM_INLINE_TCP_1 inactive
access-list outside_access_in extended permit icmp object ofs-vpn-gateway 10.89.101.0 255.255.255.0 echo inactive
access-list outside_access_in remark Migration: End of expansion
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list outside_cryptomap_6 extended permit ip 10.89.101.0 255.255.255.0 object B-internal-network
access-list outside_mpc extended permit tcp any object obj-x.x.72.76 eq 1433
access-list sslvpn_unrestricted remark D Network
access-list sslvpn_unrestricted standard permit 172.23.35.0 255.255.255.0
access-list sslvpn_unrestricted remark VPN
access-list sslvpn_unrestricted standard permit 192.168.0.0 255.255.255.0
access-list sslvpn_unrestricted remark Internal Network
access-list sslvpn_unrestricted standard permit 10.89.101.0 255.255.255.0
access-list sslvpn_split_MS standard permit 10.89.101.0 255.255.255.0
access-list sslvpn_split_MS standard permit 172.23.35.0 255.255.255.0
access-list sslvpn_split_MS standard permit 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 any 10.89.102.0 255.255.255.0 inactive
access-list ssltsi_remoterestriction remark Deny
access-list ssltsi_remoterestriction standard deny 10.89.101.0 255.255.255.0
access-list ssltsi_remoterestriction remark Remote Host
access-list ssltsi_remoterestriction standard permit host 10.89.101.217
pager lines 24
logging enable
logging buffer-size 1000000
logging buffered debugging
logging trap warnings
logging asdm informational
logging host inside 10.89.101.217 format emblem
mtu inside 1500
mtu voice 1500
mtu dmz 1500
mtu wireless 1500
mtu outside 1500
mtu management 1500
ip local pool sslvpn_ip_pool 172.23.36.1-172.23.36.100 mask 255.255.255.0
ip local pool vpnphone 10.89.103.193-10.89.103.254 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface voice
ip verify reverse-path interface wireless
ip verify reverse-path interface outside
ip verify reverse-path interface management
no failover
icmp unreachable rate-limit 1 burst-size 1

no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-10.89.101.0 obj-10.89.101.0 destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 route-lookup
nat (inside,outside) source static obj-10.89.101.0 obj-10.89.101.0 destination static sslvpn-client-network sslvpn-client-network route-lookup
nat (inside,any) source static obj-10.89.101.0 obj-10.89.101.0 destination static obj-10.89.102.0 obj-10.89.102.0 no-proxy-arp
nat (inside,voice) source static obj-10.89.101.0 obj-10.89.101.0 destination static obj-10.89.103.0 obj-10.89.103.0 no-proxy-arp
nat (inside,any) source static obj-10.89.101.0 obj-10.89.101.0 destination static K-network K-network no-proxy-arp
nat (inside,any) source static obj-10.89.101.0 obj-10.89.101.0 destination static clearchannel clearchannel no-proxy-arp
nat (inside,any) source static obj-10.89.101.0 obj-10.89.101.0 destination static OFS OFS no-proxy-arp inactive
nat (inside,outside) source static files.MS.net-internal outside-nat-107.1.72.78 service obj-tcp-source-eq-443 obj-tcp-source-eq-443
nat (inside,outside) source static w2k3iis-01.internal outside-nat-107.1.72.78 destination static web-services-client web-services-client service obj-tcp-source-eq-81 obj-tcp-source-eq-80
nat (inside,outside) source static demo.MS.net-internal outside-nat-107.1.72.78 service obj-tcp-source-eq-3389 obj-tcp-source-eq-3389
nat (inside,outside) source static demo.MS.net-internal outside-nat-107.1.72.78 service obj-udp-source-eq-3389 obj-udp-source-eq-3389
nat (inside,outside) source static project.MS.net-internal project.MS.net-external service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (inside,outside) source static project.MS.net-internal project.MS.net-external service obj-tcp-source-eq-443 obj-tcp-source-eq-443
nat (inside,outside) source static obj-10.89.101.214 obj-10.89.101.214 service MSSQL-DB MSSQL-DB
nat (inside,dmz) source dynamic obj-10.89.101.0 interface destination static obj-172.23.33.0 obj-172.23.33.0
nat (voice,inside) source static clearchannel clearchannel destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,inside) source static obj-10.89.103.0 obj-10.89.103.0 destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,voice) source static clearchannel clearchannel destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,voice) source static obj-10.89.103.0 obj-10.89.103.0 destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,outside) source static clearchannel clearchannel destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,outside) source static obj-10.89.103.0 obj-10.89.103.0 destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,outside) source static B-voice-network B-voice-network destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (outside,inside) source static vpn-phones vpn-phones destination static clearchannel clearchannel no-proxy-arp route-lookup
nat (outside,inside) source static vpn-phones vpn-phones destination static obj-10.89.103.0 obj-10.89.103.0 no-proxy-arp route-lookup
nat (outside,voice) source static vpn-phones vpn-phones destination static clearchannel clearchannel no-proxy-arp route-lookup
nat (outside,voice) source static vpn-phones vpn-phones destination static obj-10.89.103.0 obj-10.89.103.0 no-proxy-arp route-lookup
nat (outside,outside) source static vpn-phones vpn-phones destination static clearchannel clearchannel no-proxy-arp route-lookup
nat (outside,outside) source static vpn-phones vpn-phones destination static obj-10.89.103.0 obj-10.89.103.0 no-proxy-arp route-lookup
nat (outside,voice) source static vpn-phones vpn-phones destination static B-voice-network B-voice-network no-proxy-arp route-lookup
nat (outside,inside) source dynamic sslvpn-client-network interface destination static obj-10.89.101.0 obj-10.89.101.0
nat (outside,inside) source static project.MS.net-external obj-107.1.72.76 destination static obj-10.89.101.214 obj-10.89.101.214 service MSSQL-DB MSSQL-DB
nat (outside,outside) source static any any destination static sslvpn-client-network sslvpn-client-network route-lookup
nat (inside,outside) source static any any destination static sslvpn-client-network sslvpn-client-network no-proxy-arp route-lookup
nat (outside,outside) source static sslvpn-client-network sslvpn-client-network destination static D-server-network D-server-network no-proxy-arp route-lookup
!
object network obj-10.89.101.0
 nat (inside,outside) dynamic interface
object network sslvpn-client-network
 nat (outside,inside) dynamic interface
object network obj-10.89.103.0
 nat (voice,outside) dynamic interface
object network obj-10.89.102.0
 nat (wireless,outside) dynamic interface
object network obj-x.x.72.76
 nat (outside,inside) static obj-10.89.101.214 service tcp 1433 1433
 
access-group inside_access_in in interface inside
access-group voice_access_in in interface voice
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.72.65 1
route voice clearchannelnet1 255.255.255.0 10.89.103.1 1
route voice clearchannel1 255.255.255.255 10.89.103.1 1
route voice clearchannel2 255.255.255.255 10.89.103.1 1
route voice clearchannelnet2 255.255.255.0 10.89.103.1 1
route voice 10.89.100.0 255.255.255.0 10.89.103.1 1
route outside x.x.72.76 255.255.255.255 x.x.72.65 1


user-identity default-domain LOCAL
no user-identity inactive-user-timer
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp dmz
sysopt noproxyarp wireless
sysopt noproxyarp management

telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 60
ssh version 2
console timeout 5
management-access inside
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 50
dhcpd address 10.89.103.11-10.89.103.100 voice
dhcpd dns x.x.73.246 x.x.71.230 interface voice
dhcpd option 3 ip 10.89.103.1 interface voice
dhcpd option 242 ascii L2QVLAN=16,HTTPSRVR=10.81.14.10,MCIPADD=10.81.14.11 interface voice
dhcpd enable voice
!
dhcpd address 10.89.102.101-10.89.102.200 wireless
dhcpd dns 8.8.8.8 4.2.2.2 interface wireless
dhcpd option 3 ip 10.89.102.1 interface wireless
dhcpd enable wireless
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server ki-adc2 source inside prefer
ssl trust-point ASDM_TrustPoint4 outside
ssl trust-point ASDM_TrustPoint4 wireless

policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect icmp
  inspect ip-options
  inspect pptp
  inspect sip
 class class-default
  user-statistics accounting
policy-map 1433-Allow
 class outside-class
  set connection conn-max 100 embryonic-conn-max 100
!
service-policy global_policy global


### Dell PowerConnect

vlan database
 vlan 22

interface ethernet g1
 switchport mode trunk
 switchport trunk allowed vlan add 22

interface ethernet g2
 switchport access vlan 22
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 250 total points
ID: 39775444
Let's try to find where the traffic is failing first and narrow it down otherwise, it will be a wild goose chase.

packet-tracer input inside tcp 10.89.102.2 4444 10.95.22.? 4444 detailed
where ? is a local IP or a PC IP

packet-tracer input Storage tcp 10.95.22.1 4444 10.89.102.2   4444 detailed


show run access-group inside_access_in
show run access-group dmz_access_in in interface dmz
show run access-group outside_access_in in interface outside
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39776946
please add the following

icmp permit any Storage

that is what will allow you to ping the Storage interface's IP address from anything off that interface.  You can do the same for other interfaces if you really want to.  I thought you said you added that but I'm not seeing it.  Correct me if I'm wrong.

also, add a security level to the Storage interface. since you don't have an ACL applied to it, it will most likely block everything trying to go thru it, unless that is what you want, but then I'd add a security level 0 anyway or an explicit ACL to ensure it blocks everything.
0
 

Author Comment

by:lconnell
ID: 39778065
I did have it in there, sorry I didn't include that. Isn't a security level of 10 supposed to let a security-level of 100 access? There are no ACL's for 10.89.102.2 (wireless).

packet-tracer input Storage tcp 10.95.22.1 4444 10.89.102.$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xae338ad8, priority=1, domain=permit, deny=false
        hits=86, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Storage, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.89.102.2     255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xb02c8958, priority=500, domain=permit, deny=true
        hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=10.95.22.1, mask=255.255.255.255, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Storage, output_ifc=any

Result:
input-interface: Storage
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0
 

Author Comment

by:lconnell
ID: 39778089
So, problem solved.  I swapped out the powerconnect for a catalyst and the trunk works :)

I just need to get the storage vlan to be able to go out the internet. I am successfully pinging the 10.95.22.1 ip on vlan 22 on the ASA.
0
 

Author Comment

by:lconnell
ID: 39778095
I added my nat statements for that subnet and internet traffic is flowing :)

So at this point I would just create nat statements and acl's to allow traffic between vlan's?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39778115
ok, thanks for the sanity confirmation.  i knew it had to be a trunking issue and not an ACL issue.

When it comes to allowing traffic THRU the firewall, there are mainly 2 rules to know.

1) no ACL applied to the interface (direction matters as well, but normally there are only inbound rules applied) means security-levels are used by default.  High to low is allowed.  if same then same-security inter interface must be configured.
2) if interface ACLs are applied then those matter

global ACLs change it a little, but unless you have a true need for them, stay away from them.

the second part is nat.  yes, you need some type of translation rule.  if one is not applied, not translation is done.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now