Solved

Cisco ASA  Inter-Vlan Routing

Posted on 2014-03-06
9
1,761 Views
Last Modified: 2015-04-13
Hi All,

Hope Everyone is Well?

Hope somebody could help as im banging my head with this one:-

I have several Sub Interfaces for VLAN's Setup on my Firewall. I have these connected to a Switch, which inturn has the Switch Port set in Trunk Mode,

Switch Config Here:-
 interface FastEthernet0/1
 description ** Firewall Uplink - FA0/1 **
 switchport trunk native vlan 101
 switchport trunk allowed vlan 101-104,110
 switchport mode trunk

If i connect my Laptop up and Set a IP of 10.1.1.100 i cant even ping the Firewall (10.1.1.1). Same on the other Subnets. I cant ping any default Gateways, or ping Gateways between VLANS.

Strangely enough thought the Firewall can ping the switch on 10.1.1.21

From All Subnets there is no internet access either but i assume this is something to do with the above not working.

My  ASA Config is attached.

Many Thanks for Any Help.

Cheers
Si
Config.txt
0
Comment
Question by:TrustGroup-UAE
9 Comments
 
LVL 1

Expert Comment

by:netdsg
ID: 39908701
How many vlans is your asa licensed to have?  execute a 'show version' in order to reveal this.
0
 
LVL 1

Author Comment

by:TrustGroup-UAE
ID: 39908748
Hi NetDSG,

Please find below from Sh Ver. Showing me 50 Vlans.

Licensed features for this platform:
Maximum Physical Interfaces         : Unlimited      perpetual
Maximum VLANs                               : 50             perpetual
Inside Hosts                                       : Unlimited      perpetual
Failover                                               : Disabled       perpetual
VPN-DES                                              : Enabled        perpetual
VPN-3DES-AES                                    : Enabled        perpetual
Security Contexts                               : 0              perpetual
GTP/GPRS                                           : Disabled       perpetual
AnyConnect Premium Peers            : 2              perpetual
AnyConnect Essentials                      : Disabled       perpetual
Other VPN Peers                                : 250            perpetual
Total VPN Peers                                 : 250            perpetual
Shared License                                   : Disabled       perpetual
AnyConnect for Mobile                      : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions                 : 2              perpetual
Total UC Proxy Sessions                   : 2              perpetual
Botnet Traffic Filter                           : Disabled       perpetual
Intercompany Media Engine           : Disabled       perpetual

Cheers
Si
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 39909109
Hi,

You need to config nat and nonat
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 1

Author Comment

by:TrustGroup-UAE
ID: 39909351
Thanks ikalmar,

Any Tips, Pointers for example Config or this?

Cheers
Si
0
 
LVL 1

Expert Comment

by:netdsg
ID: 39911545
Lets see what the ASA thinks is going on by enabling some logging.  Try:

conf t
logging buffered 7
logging buffered size 100000
logging timestamp
exit

Then attempt the functionality you are looking for, followed by a show log.  Hopefully you'll see a syslog entry that corresponds with your attempt by using the 'show log' command.
0
 
LVL 1

Author Comment

by:TrustGroup-UAE
ID: 39914467
Hi,

I cant see anything in there thats obvious:-

Mar 08 2014 10:02:36: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host inside_voip:10.1.2.101
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host identity:10.1.2.1
Mar 08 2014 10:02:37: %ASA-6-302020: Built inbound ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:41: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 340 for management:192.168.1.2/49862 to identity:192.168.1.1/443 duration 0:03:01 bytes 536 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 342 for management:192.168.1.2/49864 to identity:192.168.1.1/443 duration 0:03:01 bytes 406 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 343 for management:192.168.1.2/49865 to identity:192.168.1.1/443 duration 0:03:01 bytes 521 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 344 for management:192.168.1.2/49866 to identity:192.168.1.1/443 duration 0:03:01 bytes 531 TCP Reset-O
Mar 08 2014 10:02:51: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:53: %ASA-6-302016: Teardown UDP connection 316 for management:192.168.1.2/68 to identity:255.255.255.255/67 duration 0:03:21 bytes 600
Mar 08 2014 10:02:53: %ASA-7-609002: Teardown local-host identity:255.255.255.255 duration 0:03:21
Mar 08 2014 10:03:00: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:05: %ASA-7-710005: UDP request discarded from 10.1.2.101/138 to inside_voip:10.1.2.255/138
Mar 08 2014 10:03:06: %ASA-6-302016: Teardown UDP connection 317 for management:192.168.1.2/68 to identity:192.168.1.1/67 duration 0:03:34 bytes 1168
Mar 08 2014 10:03:08: %ASA-5-111005: console end configuration: OK
Mar 08 2014 10:03:09: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137

I have also modified my config here and there as i have been playin around. With my Laptop on the switch and the switch port set to the VLAN i can now on each VLAN ping the default gateway.
 
I still cannot ping gateways between VLANs not get any outside connectivity.

I have attached my New Config.

Many thanks again
Si
Config.txt
0
 
LVL 1

Accepted Solution

by:
netdsg earned 500 total points
ID: 39915833
What functionality were were testing during the preceding syslog?  In this case the syslog would only be valuable if we know what is failing at what precise time and can correlate events via the timestamps.

There is no functional reason why users should be able to ping gateways that are not their own on a firewall.  Ping is a neat utility for network admin, not for users.  For a security perspective Ping is the devil.  I generally deny all ICMP for the users that wont break functionality.

In order to configure outside connectivity ikalmar is correct, you will need a NAT configuration.

Try this:

nat (inside_lan_management) 1 10.1.1.0 255.255.255.0
nat (inside_voip) 1 10.1.2.0 255.255.255.0
nat (inside_cctv) 1 10.1.3.0 255.255.255.0
nat (inside_wireless) 1 10.1.4.0 255.255.255.0
nat (inside_clients) 1. 10.1.110.0 255.255.255.0
global (outside) 1 interface ethernet 0/0
0
 
LVL 1

Author Comment

by:TrustGroup-UAE
ID: 39928681
Hi,

After adding in the above still there was no routing. I have since spoken to TAC who asked me to upgrade the ASA IOS.

After doing this and adding the above all now works!

Many thanks for your Help!

Cheers
Si
0
 

Expert Comment

by:samashcam
ID: 40721674
Hi Si,

What is the version of the IOS did you need to upgrade to?

Cheers,
Samashcam
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question