Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco ASA  Inter-Vlan Routing

Posted on 2014-03-06
9
Medium Priority
?
1,946 Views
Last Modified: 2015-04-13
Hi All,

Hope Everyone is Well?

Hope somebody could help as im banging my head with this one:-

I have several Sub Interfaces for VLAN's Setup on my Firewall. I have these connected to a Switch, which inturn has the Switch Port set in Trunk Mode,

Switch Config Here:-
 interface FastEthernet0/1
 description ** Firewall Uplink - FA0/1 **
 switchport trunk native vlan 101
 switchport trunk allowed vlan 101-104,110
 switchport mode trunk

If i connect my Laptop up and Set a IP of 10.1.1.100 i cant even ping the Firewall (10.1.1.1). Same on the other Subnets. I cant ping any default Gateways, or ping Gateways between VLANS.

Strangely enough thought the Firewall can ping the switch on 10.1.1.21

From All Subnets there is no internet access either but i assume this is something to do with the above not working.

My  ASA Config is attached.

Many Thanks for Any Help.

Cheers
Si
Config.txt
0
Comment
Question by:TrustGroup-UAE
9 Comments
 
LVL 1

Expert Comment

by:netdsg
ID: 39908701
How many vlans is your asa licensed to have?  execute a 'show version' in order to reveal this.
0
 
LVL 1

Author Comment

by:TrustGroup-UAE
ID: 39908748
Hi NetDSG,

Please find below from Sh Ver. Showing me 50 Vlans.

Licensed features for this platform:
Maximum Physical Interfaces         : Unlimited      perpetual
Maximum VLANs                               : 50             perpetual
Inside Hosts                                       : Unlimited      perpetual
Failover                                               : Disabled       perpetual
VPN-DES                                              : Enabled        perpetual
VPN-3DES-AES                                    : Enabled        perpetual
Security Contexts                               : 0              perpetual
GTP/GPRS                                           : Disabled       perpetual
AnyConnect Premium Peers            : 2              perpetual
AnyConnect Essentials                      : Disabled       perpetual
Other VPN Peers                                : 250            perpetual
Total VPN Peers                                 : 250            perpetual
Shared License                                   : Disabled       perpetual
AnyConnect for Mobile                      : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions                 : 2              perpetual
Total UC Proxy Sessions                   : 2              perpetual
Botnet Traffic Filter                           : Disabled       perpetual
Intercompany Media Engine           : Disabled       perpetual

Cheers
Si
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 39909109
Hi,

You need to config nat and nonat
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 1

Author Comment

by:TrustGroup-UAE
ID: 39909351
Thanks ikalmar,

Any Tips, Pointers for example Config or this?

Cheers
Si
0
 
LVL 1

Expert Comment

by:netdsg
ID: 39911545
Lets see what the ASA thinks is going on by enabling some logging.  Try:

conf t
logging buffered 7
logging buffered size 100000
logging timestamp
exit

Then attempt the functionality you are looking for, followed by a show log.  Hopefully you'll see a syslog entry that corresponds with your attempt by using the 'show log' command.
0
 
LVL 1

Author Comment

by:TrustGroup-UAE
ID: 39914467
Hi,

I cant see anything in there thats obvious:-

Mar 08 2014 10:02:36: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host inside_voip:10.1.2.101
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host identity:10.1.2.1
Mar 08 2014 10:02:37: %ASA-6-302020: Built inbound ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:41: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 340 for management:192.168.1.2/49862 to identity:192.168.1.1/443 duration 0:03:01 bytes 536 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 342 for management:192.168.1.2/49864 to identity:192.168.1.1/443 duration 0:03:01 bytes 406 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 343 for management:192.168.1.2/49865 to identity:192.168.1.1/443 duration 0:03:01 bytes 521 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 344 for management:192.168.1.2/49866 to identity:192.168.1.1/443 duration 0:03:01 bytes 531 TCP Reset-O
Mar 08 2014 10:02:51: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:53: %ASA-6-302016: Teardown UDP connection 316 for management:192.168.1.2/68 to identity:255.255.255.255/67 duration 0:03:21 bytes 600
Mar 08 2014 10:02:53: %ASA-7-609002: Teardown local-host identity:255.255.255.255 duration 0:03:21
Mar 08 2014 10:03:00: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:05: %ASA-7-710005: UDP request discarded from 10.1.2.101/138 to inside_voip:10.1.2.255/138
Mar 08 2014 10:03:06: %ASA-6-302016: Teardown UDP connection 317 for management:192.168.1.2/68 to identity:192.168.1.1/67 duration 0:03:34 bytes 1168
Mar 08 2014 10:03:08: %ASA-5-111005: console end configuration: OK
Mar 08 2014 10:03:09: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137

I have also modified my config here and there as i have been playin around. With my Laptop on the switch and the switch port set to the VLAN i can now on each VLAN ping the default gateway.
 
I still cannot ping gateways between VLANs not get any outside connectivity.

I have attached my New Config.

Many thanks again
Si
Config.txt
0
 
LVL 1

Accepted Solution

by:
netdsg earned 2000 total points
ID: 39915833
What functionality were were testing during the preceding syslog?  In this case the syslog would only be valuable if we know what is failing at what precise time and can correlate events via the timestamps.

There is no functional reason why users should be able to ping gateways that are not their own on a firewall.  Ping is a neat utility for network admin, not for users.  For a security perspective Ping is the devil.  I generally deny all ICMP for the users that wont break functionality.

In order to configure outside connectivity ikalmar is correct, you will need a NAT configuration.

Try this:

nat (inside_lan_management) 1 10.1.1.0 255.255.255.0
nat (inside_voip) 1 10.1.2.0 255.255.255.0
nat (inside_cctv) 1 10.1.3.0 255.255.255.0
nat (inside_wireless) 1 10.1.4.0 255.255.255.0
nat (inside_clients) 1. 10.1.110.0 255.255.255.0
global (outside) 1 interface ethernet 0/0
0
 
LVL 1

Author Comment

by:TrustGroup-UAE
ID: 39928681
Hi,

After adding in the above still there was no routing. I have since spoken to TAC who asked me to upgrade the ASA IOS.

After doing this and adding the above all now works!

Many thanks for your Help!

Cheers
Si
0
 

Expert Comment

by:samashcam
ID: 40721674
Hi Si,

What is the version of the IOS did you need to upgrade to?

Cheers,
Samashcam
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question