Solved

multiple VLANs on asa5505 not communicating well together

Posted on 2014-02-07
3
345 Views
Last Modified: 2014-07-03
long story short: we need more than 250 IP addresses and realized that the asa can only do an IP pool of max 250 so we create multiple VLAN each with a new IP pool.


we have 4 switches and I created 4 vlans and connected 1 port of the asa to each vlan.

I thought that adding this line same-security-traffic permit inter-interface will allow easy access among the VLANs but that was not the case.

I called cisco and they made me add static route and access-group. vlan 4 can now communicate with vlan5 but I don't think it is proper . can someone review the config below and let me know what is wrong with it and why if a printer connected to switch 1  with a static IP I can't communicate with switch2

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(5) 
!
hostname ciscoasa
enable password pH9AxSYvrEY14oi6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 description LAN TRUNK
 switchport trunk allowed vlan 10,20,30
 switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 30
!
interface Ethernet0/6
 switchport access vlan 20
!
interface Ethernet0/7
 switchport access vlan 10
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.101.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x. 255.255.255.252 
!
interface Vlan10
 nameif inside3
 security-level 99
 ip address 192.168.103.1 255.255.255.0 
!
interface Vlan20
 nameif inside4
 security-level 98
 ip address 192.168.104.1 255.255.255.0 
!
interface Vlan30
 nameif inside5
 security-level 97
 ip address 192.168.105.1 255.255.255.0 
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.104.0 255.255.255.0
 network-object 192.168.105.0 255.255.255.0
 network-object 204.28.126.4 255.255.255.252
 network-object 192.168.101.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object 192.168.103.0 255.255.255.0
 network-object 192.168.105.0 255.255.255.0
 network-object 204.28.126.4 255.255.255.252
 network-object 192.168.101.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object 192.168.103.0 255.255.255.0
 network-object 192.168.104.0 255.255.255.0
 network-object 204.28.126.4 255.255.255.252
 network-object 192.168.101.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
 network-object 192.168.103.0 255.255.255.0
 network-object 192.168.104.0 255.255.255.0
 network-object 192.168.105.0 255.255.255.0
 network-object 204.28.126.4 255.255.255.252
access-list inside3_access_in extended permit ip any 192.168.104.0 255.255.255.0 inactive 
access-list inside3_access_in extended permit ip any 192.168.105.0 255.255.255.0 inactive 
access-list inside3_access_in extended permit ip any 204.28.126.4 255.255.255.252 inactive 
access-list inside4_access_in extended permit ip any 192.168.103.0 255.255.255.0 inactive 
access-list inside4_access_in extended permit ip any 192.168.105.0 255.255.255.0 inactive 
access-list inside4_access_in extended permit ip any interface outside inactive 
access-list inside5_access_in extended permit ip any 192.168.104.0 255.255.255.0 inactive 
access-list inside5_access_in extended permit ip any 192.168.103.0 255.255.255.0 inactive 
access-list inside5_access_in_1 extended permit ip any object-group DM_INLINE_NETWORK_3 
access-list inside5_access_in_1 extended permit ip any any 
access-list inside4_access_in_1 extended permit ip any object-group DM_INLINE_NETWORK_2 
access-list inside4_access_in_1 extended permit ip any any 
access-list inside3_access_in_1 extended permit ip any object-group DM_INLINE_NETWORK_1 
access-list inside3_access_in_1 extended permit ip any any 
access-list inside_access_in extended permit ip any object-group DM_INLINE_NETWORK_4 
access-list inside_access_in extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inside3 1500
mtu inside4 1500
mtu inside5 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside3) 1 0.0.0.0 0.0.0.0
nat (inside4) 1 0.0.0.0 0.0.0.0
nat (inside5) 1 0.0.0.0 0.0.0.0
static (inside3,inside4) 192.168.103.0 192.168.103.0 netmask 255.255.255.0 
static (inside4,inside3) 192.168.104.0 192.168.104.0 netmask 255.255.255.0 
static (inside4,inside5) 192.168.104.0 192.168.104.0 netmask 255.255.255.0 
static (inside5,inside4) 192.168.105.0 192.168.105.0 netmask 255.255.255.0 
static (inside3,inside5) 192.168.103.0 192.168.103.0 netmask 255.255.255.0 
static (inside5,inside3) 192.168.105.0 192.168.105.0 netmask 255.255.255.0 
static (inside3,inside) 192.168.103.0 192.168.103.0 netmask 255.255.255.0 
static (inside4,inside) 192.168.104.0 192.168.104.0 netmask 255.255.255.0 
static (inside5,inside) 192.168.105.0 192.168.105.0 netmask 255.255.255.0 
static (inside,inside3) 192.168.101.0 192.168.101.0 netmask 255.255.255.0 
static (inside,inside4) 192.168.101.0 192.168.101.0 netmask 255.255.255.0 
static (inside,inside5) 192.168.101.0 192.168.101.0 netmask 255.255.255.0 
access-group inside_access_in in interface inside
access-group inside3_access_in_1 in interface inside3
access-group inside4_access_in_1 in interface inside4
access-group inside5_access_in_1 in interface inside5
route outside 0.0.0.0 0.0.0.0 x.x.x.y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 208.80.68.212 204.14.152.2
dhcpd lease 14400
!
dhcpd address 192.168.101.10-192.168.101.250 inside
dhcpd dns 208.80.68.212 204.14.152.2 interface inside
dhcpd lease 14400 interface inside
dhcpd domain unow interface inside
dhcpd enable inside
!
dhcpd address 192.168.103.10-192.168.103.250 inside3
dhcpd dns 208.80.68.212 204.14.152.2 interface inside3
dhcpd lease 14400 interface inside3
dhcpd domain unow interface inside3
dhcpd enable inside3
!
dhcpd address 192.168.104.20-192.168.104.250 inside4
dhcpd dns 208.80.68.212 204.14.152.2 interface inside4
dhcpd lease 14400 interface inside4
dhcpd domain unow interface inside4
dhcpd enable inside4
!
dhcpd address 192.168.105.10-192.168.105.250 inside5
dhcpd dns 208.80.68.212 204.14.152.2 interface inside5
dhcpd lease 14400 interface inside5
dhcpd domain unow interface inside5
dhcpd enable inside5
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:9f3c3b74034a3efa358f655113488438
: end

Open in new window


thank you
0
Comment
Question by:odewulf
  • 2
3 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 39844272
>>and realized that the asa can only do an IP pool of max 250 so we create multiple VLAN each with a new IP pool.

I'm confused, you've gone to all this trouble for more DHCP addresses? Why not drop to a 16 bit subnet mask on VLAN 1 and set up a DHCP server internally?

PL
0
 

Accepted Solution

by:
odewulf earned 0 total points
ID: 39844979
because that client doesn't have a server and this was kind of an emergency since they were running out of IPs: -/
0
 

Author Closing Comment

by:odewulf
ID: 40174086
no feedback on this question. request question to be closed. thank you
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now