Cisco ASA Inter-Vlan Routing

Hi All,

Hope Everyone is Well?

Hope somebody could help as im banging my head with this one:-

I have several Sub Interfaces for VLAN's Setup on my Firewall. I have these connected to a Switch, which inturn has the Switch Port set in Trunk Mode,

Switch Config Here:-
 interface FastEthernet0/1
 description ** Firewall Uplink - FA0/1 **
 switchport trunk native vlan 101
 switchport trunk allowed vlan 101-104,110
 switchport mode trunk

If i connect my Laptop up and Set a IP of 10.1.1.100 i cant even ping the Firewall (10.1.1.1). Same on the other Subnets. I cant ping any default Gateways, or ping Gateways between VLANS.

Strangely enough thought the Firewall can ping the switch on 10.1.1.21

From All Subnets there is no internet access either but i assume this is something to do with the above not working.

My  ASA Config is attached.

Many Thanks for Any Help.

Cheers
Si
Config.txt
LVL 1
TrustGroup-UAEAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

netdsgCommented:
How many vlans is your asa licensed to have?  execute a 'show version' in order to reveal this.
0
TrustGroup-UAEAuthor Commented:
Hi NetDSG,

Please find below from Sh Ver. Showing me 50 Vlans.

Licensed features for this platform:
Maximum Physical Interfaces         : Unlimited      perpetual
Maximum VLANs                               : 50             perpetual
Inside Hosts                                       : Unlimited      perpetual
Failover                                               : Disabled       perpetual
VPN-DES                                              : Enabled        perpetual
VPN-3DES-AES                                    : Enabled        perpetual
Security Contexts                               : 0              perpetual
GTP/GPRS                                           : Disabled       perpetual
AnyConnect Premium Peers            : 2              perpetual
AnyConnect Essentials                      : Disabled       perpetual
Other VPN Peers                                : 250            perpetual
Total VPN Peers                                 : 250            perpetual
Shared License                                   : Disabled       perpetual
AnyConnect for Mobile                      : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions                 : 2              perpetual
Total UC Proxy Sessions                   : 2              perpetual
Botnet Traffic Filter                           : Disabled       perpetual
Intercompany Media Engine           : Disabled       perpetual

Cheers
Si
0
Istvan KalmarHead of IT Security Division Commented:
Hi,

You need to config nat and nonat
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

TrustGroup-UAEAuthor Commented:
Thanks ikalmar,

Any Tips, Pointers for example Config or this?

Cheers
Si
0
netdsgCommented:
Lets see what the ASA thinks is going on by enabling some logging.  Try:

conf t
logging buffered 7
logging buffered size 100000
logging timestamp
exit

Then attempt the functionality you are looking for, followed by a show log.  Hopefully you'll see a syslog entry that corresponds with your attempt by using the 'show log' command.
0
TrustGroup-UAEAuthor Commented:
Hi,

I cant see anything in there thats obvious:-

Mar 08 2014 10:02:36: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host inside_voip:10.1.2.101
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host identity:10.1.2.1
Mar 08 2014 10:02:37: %ASA-6-302020: Built inbound ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:41: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 340 for management:192.168.1.2/49862 to identity:192.168.1.1/443 duration 0:03:01 bytes 536 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 342 for management:192.168.1.2/49864 to identity:192.168.1.1/443 duration 0:03:01 bytes 406 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 343 for management:192.168.1.2/49865 to identity:192.168.1.1/443 duration 0:03:01 bytes 521 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 344 for management:192.168.1.2/49866 to identity:192.168.1.1/443 duration 0:03:01 bytes 531 TCP Reset-O
Mar 08 2014 10:02:51: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:53: %ASA-6-302016: Teardown UDP connection 316 for management:192.168.1.2/68 to identity:255.255.255.255/67 duration 0:03:21 bytes 600
Mar 08 2014 10:02:53: %ASA-7-609002: Teardown local-host identity:255.255.255.255 duration 0:03:21
Mar 08 2014 10:03:00: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:05: %ASA-7-710005: UDP request discarded from 10.1.2.101/138 to inside_voip:10.1.2.255/138
Mar 08 2014 10:03:06: %ASA-6-302016: Teardown UDP connection 317 for management:192.168.1.2/68 to identity:192.168.1.1/67 duration 0:03:34 bytes 1168
Mar 08 2014 10:03:08: %ASA-5-111005: console end configuration: OK
Mar 08 2014 10:03:09: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137

I have also modified my config here and there as i have been playin around. With my Laptop on the switch and the switch port set to the VLAN i can now on each VLAN ping the default gateway.
 
I still cannot ping gateways between VLANs not get any outside connectivity.

I have attached my New Config.

Many thanks again
Si
Config.txt
0
netdsgCommented:
What functionality were were testing during the preceding syslog?  In this case the syslog would only be valuable if we know what is failing at what precise time and can correlate events via the timestamps.

There is no functional reason why users should be able to ping gateways that are not their own on a firewall.  Ping is a neat utility for network admin, not for users.  For a security perspective Ping is the devil.  I generally deny all ICMP for the users that wont break functionality.

In order to configure outside connectivity ikalmar is correct, you will need a NAT configuration.

Try this:

nat (inside_lan_management) 1 10.1.1.0 255.255.255.0
nat (inside_voip) 1 10.1.2.0 255.255.255.0
nat (inside_cctv) 1 10.1.3.0 255.255.255.0
nat (inside_wireless) 1 10.1.4.0 255.255.255.0
nat (inside_clients) 1. 10.1.110.0 255.255.255.0
global (outside) 1 interface ethernet 0/0
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TrustGroup-UAEAuthor Commented:
Hi,

After adding in the above still there was no routing. I have since spoken to TAC who asked me to upgrade the ASA IOS.

After doing this and adding the above all now works!

Many thanks for your Help!

Cheers
Si
0
samashcamCommented:
Hi Si,

What is the version of the IOS did you need to upgrade to?

Cheers,
Samashcam
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.