Solved

Cisco ASA  Inter-Vlan Routing

Posted on 2014-03-06
9
1,666 Views
Last Modified: 2015-04-13
Hi All,

Hope Everyone is Well?

Hope somebody could help as im banging my head with this one:-

I have several Sub Interfaces for VLAN's Setup on my Firewall. I have these connected to a Switch, which inturn has the Switch Port set in Trunk Mode,

Switch Config Here:-
 interface FastEthernet0/1
 description ** Firewall Uplink - FA0/1 **
 switchport trunk native vlan 101
 switchport trunk allowed vlan 101-104,110
 switchport mode trunk

If i connect my Laptop up and Set a IP of 10.1.1.100 i cant even ping the Firewall (10.1.1.1). Same on the other Subnets. I cant ping any default Gateways, or ping Gateways between VLANS.

Strangely enough thought the Firewall can ping the switch on 10.1.1.21

From All Subnets there is no internet access either but i assume this is something to do with the above not working.

My  ASA Config is attached.

Many Thanks for Any Help.

Cheers
Si
Config.txt
0
Comment
Question by:TrustGroup-UAE
9 Comments
 
LVL 1

Expert Comment

by:netdsg
Comment Utility
How many vlans is your asa licensed to have?  execute a 'show version' in order to reveal this.
0
 
LVL 1

Author Comment

by:TrustGroup-UAE
Comment Utility
Hi NetDSG,

Please find below from Sh Ver. Showing me 50 Vlans.

Licensed features for this platform:
Maximum Physical Interfaces         : Unlimited      perpetual
Maximum VLANs                               : 50             perpetual
Inside Hosts                                       : Unlimited      perpetual
Failover                                               : Disabled       perpetual
VPN-DES                                              : Enabled        perpetual
VPN-3DES-AES                                    : Enabled        perpetual
Security Contexts                               : 0              perpetual
GTP/GPRS                                           : Disabled       perpetual
AnyConnect Premium Peers            : 2              perpetual
AnyConnect Essentials                      : Disabled       perpetual
Other VPN Peers                                : 250            perpetual
Total VPN Peers                                 : 250            perpetual
Shared License                                   : Disabled       perpetual
AnyConnect for Mobile                      : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions                 : 2              perpetual
Total UC Proxy Sessions                   : 2              perpetual
Botnet Traffic Filter                           : Disabled       perpetual
Intercompany Media Engine           : Disabled       perpetual

Cheers
Si
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
Hi,

You need to config nat and nonat
0
 
LVL 1

Author Comment

by:TrustGroup-UAE
Comment Utility
Thanks ikalmar,

Any Tips, Pointers for example Config or this?

Cheers
Si
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Expert Comment

by:netdsg
Comment Utility
Lets see what the ASA thinks is going on by enabling some logging.  Try:

conf t
logging buffered 7
logging buffered size 100000
logging timestamp
exit

Then attempt the functionality you are looking for, followed by a show log.  Hopefully you'll see a syslog entry that corresponds with your attempt by using the 'show log' command.
0
 
LVL 1

Author Comment

by:TrustGroup-UAE
Comment Utility
Hi,

I cant see anything in there thats obvious:-

Mar 08 2014 10:02:36: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:36: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host inside_voip:10.1.2.101
Mar 08 2014 10:02:37: %ASA-7-609001: Built local-host identity:10.1.2.1
Mar 08 2014 10:02:37: %ASA-6-302020: Built inbound ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.2.101/1 gaddr 10.1.2.1/0 laddr 10.1.2.1/0
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host inside_voip:10.1.2.101 duration 0:00:00
Mar 08 2014 10:02:37: %ASA-7-609002: Teardown local-host identity:10.1.2.1 duration 0:00:00
Mar 08 2014 10:02:41: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:42: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:43: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:44: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 340 for management:192.168.1.2/49862 to identity:192.168.1.1/443 duration 0:03:01 bytes 536 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 342 for management:192.168.1.2/49864 to identity:192.168.1.1/443 duration 0:03:01 bytes 406 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 343 for management:192.168.1.2/49865 to identity:192.168.1.1/443 duration 0:03:01 bytes 521 TCP Reset-O
Mar 08 2014 10:02:45: %ASA-6-302014: Teardown TCP connection 344 for management:192.168.1.2/49866 to identity:192.168.1.1/443 duration 0:03:01 bytes 531 TCP Reset-O
Mar 08 2014 10:02:51: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:52: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:02:53: %ASA-6-302016: Teardown UDP connection 316 for management:192.168.1.2/68 to identity:255.255.255.255/67 duration 0:03:21 bytes 600
Mar 08 2014 10:02:53: %ASA-7-609002: Teardown local-host identity:255.255.255.255 duration 0:03:21
Mar 08 2014 10:03:00: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:01: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:05: %ASA-7-710005: UDP request discarded from 10.1.2.101/138 to inside_voip:10.1.2.255/138
Mar 08 2014 10:03:06: %ASA-6-302016: Teardown UDP connection 317 for management:192.168.1.2/68 to identity:192.168.1.1/67 duration 0:03:34 bytes 1168
Mar 08 2014 10:03:08: %ASA-5-111005: console end configuration: OK
Mar 08 2014 10:03:09: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137
Mar 08 2014 10:03:10: %ASA-7-710005: UDP request discarded from 10.1.2.101/137 to inside_voip:10.1.2.255/137

I have also modified my config here and there as i have been playin around. With my Laptop on the switch and the switch port set to the VLAN i can now on each VLAN ping the default gateway.
 
I still cannot ping gateways between VLANs not get any outside connectivity.

I have attached my New Config.

Many thanks again
Si
Config.txt
0
 
LVL 1

Accepted Solution

by:
netdsg earned 500 total points
Comment Utility
What functionality were were testing during the preceding syslog?  In this case the syslog would only be valuable if we know what is failing at what precise time and can correlate events via the timestamps.

There is no functional reason why users should be able to ping gateways that are not their own on a firewall.  Ping is a neat utility for network admin, not for users.  For a security perspective Ping is the devil.  I generally deny all ICMP for the users that wont break functionality.

In order to configure outside connectivity ikalmar is correct, you will need a NAT configuration.

Try this:

nat (inside_lan_management) 1 10.1.1.0 255.255.255.0
nat (inside_voip) 1 10.1.2.0 255.255.255.0
nat (inside_cctv) 1 10.1.3.0 255.255.255.0
nat (inside_wireless) 1 10.1.4.0 255.255.255.0
nat (inside_clients) 1. 10.1.110.0 255.255.255.0
global (outside) 1 interface ethernet 0/0
0
 
LVL 1

Author Comment

by:TrustGroup-UAE
Comment Utility
Hi,

After adding in the above still there was no routing. I have since spoken to TAC who asked me to upgrade the ASA IOS.

After doing this and adding the above all now works!

Many thanks for your Help!

Cheers
Si
0
 

Expert Comment

by:samashcam
Comment Utility
Hi Si,

What is the version of the IOS did you need to upgrade to?

Cheers,
Samashcam
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Suggested Solutions

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now