Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA  Inter-Vlan Routing

Posted on 2014-03-06
9
Medium Priority
?
1,905 Views
Last Modified: 2015-04-13
Hi All,

Hope Everyone is Well?

Hope somebody could help as im banging my head with this one:-

I have several Sub Interfaces for VLAN's Setup on my Firewall. I have these connected to a Switch, which inturn has the Switch Port set in Trunk Mode,

Switch Config Here:-
 interface FastEthernet0/1
 description ** Firewall Uplink - FA0/1 **
 switchport trunk native vlan 101
 switchport trunk allowed vlan 101-104,110
 switchport mode trunk

If i connect my Laptop up and Set a IP of 10.1.1.100 i cant even ping the Firewall (10.1.1.1). Same on the other Subnets. I cant ping any default Gateways, or ping Gateways between VLANS.

Strangely enough thought the Firewall can ping the switch on 10.1.1.21

From All Subnets there is no internet access either but i assume this is something to do with the above not working.

My  ASA Config is attached.

Many Thanks for Any Help.

Cheers
Si
Config.txt
0
Comment
Question by:TrustGroup-UAE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 1

Expert Comment

by:netdsg
ID: 39908701
How many vlans is your asa licensed to have?  execute a 'show version' in order to reveal this.
0
 
LVL 1

Author Comment

by:TrustGroup-UAE
ID: 39908748
Hi NetDSG,

Please find below from Sh Ver. Showing me 50 Vlans.

Licensed features for this platform:
Maximum Physical Interfaces         : Unlimited      perpetual
Maximum VLANs                               : 50             perpetual
Inside Hosts                                       : Unlimited      perpetual
Failover                                               : Disabled       perpetual
VPN-DES                                              : Enabled        perpetual
VPN-3DES-AES                                    : Enabled        perpetual
Security Contexts                               : 0              perpetual
GTP/GPRS                                           : Disabled       perpetual
AnyConnect Premium Peers            : 2              perpetual
AnyConnect Essentials                      : Disabled       perpetual
Other VPN Peers                                : 250            perpetual
Total VPN Peers                                 : 250            perpetual
Shared License                                   : Disabled       perpetual
AnyConnect for Mobile                      : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions                 : 2              perpetual
Total UC Proxy Sessions                   : 2              perpetual
Botnet Traffic Filter                           : Disabled       perpetual
Intercompany Media Engine           : Disabled       perpetual

Cheers
Si
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 39909109
Hi,

You need to config nat and nonat
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 1

Author Comment

by:TrustGroup-UAE
ID: 39909351
Thanks ikalmar,

Any Tips, Pointers for example Config or this?

Cheers
Si
0
 
LVL 1

Expert Comment

by:netdsg
ID: 39911545
Lets see what the ASA thinks is going on by enabling some logging.  Try:

conf t
logging buffered 7
logging buffered size 100000
logging timestamp
exit

Then attempt the functionality you are looking for, followed by a show log.  Hopefully you'll see a syslog entry that corresponds with your attempt by using the 'show log' command.
0
 
LVL 1

Author Comment

by:TrustGroup-UAE
ID: 39914467
Hi,

I cant see anything in there thats obvious:-

Mar 08 2014 10:02:36: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host inside_voip:10.1.2.101
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host identity:10.1.2.1
Mar 08 2014 10:02:37: %ASA-6-302020: Built inbound ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:41: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 340 for management:192.168.1.2/49862 to identity:192.168.1.1/443 duration 0:03:01 bytes 536 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 342 for management:192.168.1.2/49864 to identity:192.168.1.1/443 duration 0:03:01 bytes 406 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 343 for management:192.168.1.2/49865 to identity:192.168.1.1/443 duration 0:03:01 bytes 521 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 344 for management:192.168.1.2/49866 to identity:192.168.1.1/443 duration 0:03:01 bytes 531 TCP Reset-O
Mar 08 2014 10:02:51: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:53: %ASA-6-302016: Teardown UDP connection 316 for management:192.168.1.2/68 to identity:255.255.255.255/67 duration 0:03:21 bytes 600
Mar 08 2014 10:02:53: %ASA-7-609002: Teardown local-host identity:255.255.255.255 duration 0:03:21
Mar 08 2014 10:03:00: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:05: %ASA-7-710005: UDP request discarded from 10.1.2.101/138 to inside_voip:10.1.2.255/138
Mar 08 2014 10:03:06: %ASA-6-302016: Teardown UDP connection 317 for management:192.168.1.2/68 to identity:192.168.1.1/67 duration 0:03:34 bytes 1168
Mar 08 2014 10:03:08: %ASA-5-111005: console end configuration: OK
Mar 08 2014 10:03:09: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137

I have also modified my config here and there as i have been playin around. With my Laptop on the switch and the switch port set to the VLAN i can now on each VLAN ping the default gateway.
 
I still cannot ping gateways between VLANs not get any outside connectivity.

I have attached my New Config.

Many thanks again
Si
Config.txt
0
 
LVL 1

Accepted Solution

by:
netdsg earned 2000 total points
ID: 39915833
What functionality were were testing during the preceding syslog?  In this case the syslog would only be valuable if we know what is failing at what precise time and can correlate events via the timestamps.

There is no functional reason why users should be able to ping gateways that are not their own on a firewall.  Ping is a neat utility for network admin, not for users.  For a security perspective Ping is the devil.  I generally deny all ICMP for the users that wont break functionality.

In order to configure outside connectivity ikalmar is correct, you will need a NAT configuration.

Try this:

nat (inside_lan_management) 1 10.1.1.0 255.255.255.0
nat (inside_voip) 1 10.1.2.0 255.255.255.0
nat (inside_cctv) 1 10.1.3.0 255.255.255.0
nat (inside_wireless) 1 10.1.4.0 255.255.255.0
nat (inside_clients) 1. 10.1.110.0 255.255.255.0
global (outside) 1 interface ethernet 0/0
0
 
LVL 1

Author Comment

by:TrustGroup-UAE
ID: 39928681
Hi,

After adding in the above still there was no routing. I have since spoken to TAC who asked me to upgrade the ASA IOS.

After doing this and adding the above all now works!

Many thanks for your Help!

Cheers
Si
0
 

Expert Comment

by:samashcam
ID: 40721674
Hi Si,

What is the version of the IOS did you need to upgrade to?

Cheers,
Samashcam
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question