Solved

multiple VLANs on asa5505 not communicating well together

Posted on 2014-02-07
3
350 Views
Last Modified: 2014-07-03
long story short: we need more than 250 IP addresses and realized that the asa can only do an IP pool of max 250 so we create multiple VLAN each with a new IP pool.


we have 4 switches and I created 4 vlans and connected 1 port of the asa to each vlan.

I thought that adding this line same-security-traffic permit inter-interface will allow easy access among the VLANs but that was not the case.

I called cisco and they made me add static route and access-group. vlan 4 can now communicate with vlan5 but I don't think it is proper . can someone review the config below and let me know what is wrong with it and why if a printer connected to switch 1  with a static IP I can't communicate with switch2

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(5) 
!
hostname ciscoasa
enable password pH9AxSYvrEY14oi6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 description LAN TRUNK
 switchport trunk allowed vlan 10,20,30
 switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 30
!
interface Ethernet0/6
 switchport access vlan 20
!
interface Ethernet0/7
 switchport access vlan 10
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.101.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x. 255.255.255.252 
!
interface Vlan10
 nameif inside3
 security-level 99
 ip address 192.168.103.1 255.255.255.0 
!
interface Vlan20
 nameif inside4
 security-level 98
 ip address 192.168.104.1 255.255.255.0 
!
interface Vlan30
 nameif inside5
 security-level 97
 ip address 192.168.105.1 255.255.255.0 
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.104.0 255.255.255.0
 network-object 192.168.105.0 255.255.255.0
 network-object 204.28.126.4 255.255.255.252
 network-object 192.168.101.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object 192.168.103.0 255.255.255.0
 network-object 192.168.105.0 255.255.255.0
 network-object 204.28.126.4 255.255.255.252
 network-object 192.168.101.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object 192.168.103.0 255.255.255.0
 network-object 192.168.104.0 255.255.255.0
 network-object 204.28.126.4 255.255.255.252
 network-object 192.168.101.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
 network-object 192.168.103.0 255.255.255.0
 network-object 192.168.104.0 255.255.255.0
 network-object 192.168.105.0 255.255.255.0
 network-object 204.28.126.4 255.255.255.252
access-list inside3_access_in extended permit ip any 192.168.104.0 255.255.255.0 inactive 
access-list inside3_access_in extended permit ip any 192.168.105.0 255.255.255.0 inactive 
access-list inside3_access_in extended permit ip any 204.28.126.4 255.255.255.252 inactive 
access-list inside4_access_in extended permit ip any 192.168.103.0 255.255.255.0 inactive 
access-list inside4_access_in extended permit ip any 192.168.105.0 255.255.255.0 inactive 
access-list inside4_access_in extended permit ip any interface outside inactive 
access-list inside5_access_in extended permit ip any 192.168.104.0 255.255.255.0 inactive 
access-list inside5_access_in extended permit ip any 192.168.103.0 255.255.255.0 inactive 
access-list inside5_access_in_1 extended permit ip any object-group DM_INLINE_NETWORK_3 
access-list inside5_access_in_1 extended permit ip any any 
access-list inside4_access_in_1 extended permit ip any object-group DM_INLINE_NETWORK_2 
access-list inside4_access_in_1 extended permit ip any any 
access-list inside3_access_in_1 extended permit ip any object-group DM_INLINE_NETWORK_1 
access-list inside3_access_in_1 extended permit ip any any 
access-list inside_access_in extended permit ip any object-group DM_INLINE_NETWORK_4 
access-list inside_access_in extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inside3 1500
mtu inside4 1500
mtu inside5 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside3) 1 0.0.0.0 0.0.0.0
nat (inside4) 1 0.0.0.0 0.0.0.0
nat (inside5) 1 0.0.0.0 0.0.0.0
static (inside3,inside4) 192.168.103.0 192.168.103.0 netmask 255.255.255.0 
static (inside4,inside3) 192.168.104.0 192.168.104.0 netmask 255.255.255.0 
static (inside4,inside5) 192.168.104.0 192.168.104.0 netmask 255.255.255.0 
static (inside5,inside4) 192.168.105.0 192.168.105.0 netmask 255.255.255.0 
static (inside3,inside5) 192.168.103.0 192.168.103.0 netmask 255.255.255.0 
static (inside5,inside3) 192.168.105.0 192.168.105.0 netmask 255.255.255.0 
static (inside3,inside) 192.168.103.0 192.168.103.0 netmask 255.255.255.0 
static (inside4,inside) 192.168.104.0 192.168.104.0 netmask 255.255.255.0 
static (inside5,inside) 192.168.105.0 192.168.105.0 netmask 255.255.255.0 
static (inside,inside3) 192.168.101.0 192.168.101.0 netmask 255.255.255.0 
static (inside,inside4) 192.168.101.0 192.168.101.0 netmask 255.255.255.0 
static (inside,inside5) 192.168.101.0 192.168.101.0 netmask 255.255.255.0 
access-group inside_access_in in interface inside
access-group inside3_access_in_1 in interface inside3
access-group inside4_access_in_1 in interface inside4
access-group inside5_access_in_1 in interface inside5
route outside 0.0.0.0 0.0.0.0 x.x.x.y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 208.80.68.212 204.14.152.2
dhcpd lease 14400
!
dhcpd address 192.168.101.10-192.168.101.250 inside
dhcpd dns 208.80.68.212 204.14.152.2 interface inside
dhcpd lease 14400 interface inside
dhcpd domain unow interface inside
dhcpd enable inside
!
dhcpd address 192.168.103.10-192.168.103.250 inside3
dhcpd dns 208.80.68.212 204.14.152.2 interface inside3
dhcpd lease 14400 interface inside3
dhcpd domain unow interface inside3
dhcpd enable inside3
!
dhcpd address 192.168.104.20-192.168.104.250 inside4
dhcpd dns 208.80.68.212 204.14.152.2 interface inside4
dhcpd lease 14400 interface inside4
dhcpd domain unow interface inside4
dhcpd enable inside4
!
dhcpd address 192.168.105.10-192.168.105.250 inside5
dhcpd dns 208.80.68.212 204.14.152.2 interface inside5
dhcpd lease 14400 interface inside5
dhcpd domain unow interface inside5
dhcpd enable inside5
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:9f3c3b74034a3efa358f655113488438
: end

Open in new window


thank you
0
Comment
Question by:odewulf
  • 2
3 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 39844272
>>and realized that the asa can only do an IP pool of max 250 so we create multiple VLAN each with a new IP pool.

I'm confused, you've gone to all this trouble for more DHCP addresses? Why not drop to a 16 bit subnet mask on VLAN 1 and set up a DHCP server internally?

PL
0
 

Accepted Solution

by:
odewulf earned 0 total points
ID: 39844979
because that client doesn't have a server and this was kind of an emergency since they were running out of IPs: -/
0
 

Author Closing Comment

by:odewulf
ID: 40174086
no feedback on this question. request question to be closed. thank you
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question