Avatar of mcsdguyian
mcsdguyian
Flag for United States of America asked on

ASA 5505 (2) Internal VLANs cannot communicate with each other

I have setup 2 internal VLANs. Both VLans can access the internet , but the cannot access each other.  I  am including my sanitized  config

Result of the command: "show config"

: Saved
: Written by enable_15 at 09:11:10.072 UTC Tue Apr 15 2014

ASA Version 8.2(5)

names

interface Ethernet0/0
 switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2
 switchport access vlan 15

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5
 switchport access vlan 5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.140 255.255.255.0

interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.34 255.255.255.240

interface Vlan5
 description Guest Access
 nameif GuestAccess
 security-level 10
 ip address 192.168.1.50 255.255.255.0

interface Vlan15
 no forward interface Vlan5
 nameif Corporate
 security-level 100
 ip address 192.168.40.1 255.255.255.0

ftp mode passive
dns server-group DefaultDNS

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network inside-subnet
object-group network Corporate_outside
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
access-list internal extended permit ip any any
access-list internal extended permit icmp any any
access-list Inside-to-any extended permit ip 192.168.50.0 255.255.255.0 any
access-list Corporate_inbound extended permit icmp any any
pager lines 24
logging enable
logging asdm informational

mtu inside 1500
mtu outside 1500
mtu Corporate 1500
mtu GuestAccess 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask 255.255.255.255
global (outside) 2 interface
nat (inside) 2 192.168.50.0 255.255.255.0
nat (Corporate) 2 192.168.40.0 255.255.255.0
static (inside,outside) XX.XX.XX.35 192.168.50.131 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.40 192.168.50.245 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.36 192.168.50.135 netmask 255.255.255.255
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

class-map inspection_default
 match default-inspection-traffic


policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect ip-options
  inspect http
  inspect ils


Thanks,
CiscoHardware FirewallsRouters

Avatar of undefined
Last Comment
rauenpc

8/22/2022 - Mon
rauenpc

You will need to have a nat statement for any traffic that crosses between two interfaces, even if you don't need to nat. Essentially, you would be defining a nat to more or less not NAT the traffic.

static (inside,Corporate) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

There may be other things going on. If the NAT doesn't fix it, run a packet tracer both directions and post the results.
mcsdguyian

ASKER
ok I did that but it still does not work.

I get the following Error "(acl-drop) Flow denied by configured rule"

I have only the default rules applied to the inside and corporate interface.  Plase see the attached files for the screen shots of the GUI

Thanks for your help
ASA-5505-SS.doc
rauenpc

I didn't think that you'd need the ACL for same security traffic, but perhaps you do. Apply an acl to both interfaces and specifically permit the traffic. The ACL could simply be a "permit any any", but at the least needs to permit subnet to subnet traffic.

IMPORTANT - Don't forget that there is an implicit deny at the end of any acl. If you create an acl and only permit inside subnet to corporate subnet, that will be the ONLY traffic allowed. All internet traffic will break, hence, my suggestion of possibly going with a "permit any any" type of ACL.

You could give this a shot, and again, if it doesn't work, post the packet tracer output. It is more useful to me to have the command line packet tracer output if possible.
Your help has saved me hundreds of hours of internet surfing.
fblack61
mcsdguyian

ASKER
I don't understand how I would permit the subnet to subnet traffic.  I am a newbie to the ASA and have spent hours trying to get this working.  Please explain how I would do that

thanks
mcsdguyian

ASKER
its weird and I don't know what I am doing wrong, but I do an any to any IP Permit. and the trace is dropped because of the any to ip deny that is a default rule.
mcsdguyian

ASKER
here is the results of the packet tracer

Result of the command: "packet-tracer input inside icmp 192.168.50.2 0 0 192.168.40.5"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.40.0    255.255.255.0   Corporate

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,Corporate) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  match ip inside 192.168.50.0 255.255.255.0 Corporate any
    static translation to 192.168.50.0
    translate_hits = 91, untranslate_hits = 75
Additional Information:
Static translate 192.168.50.0/0 to 192.168.50.0/0 using netmask 255.255.255.0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,Corporate) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  match ip inside 192.168.50.0 255.255.255.0 Corporate any
    static translation to 192.168.50.0
    translate_hits = 91, untranslate_hits = 75
Additional Information:

Phase: 8
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (Corporate) 2 192.168.40.0 255.255.255.0
  match ip Corporate 192.168.40.0 255.255.255.0 inside any
    dynamic translation to pool 2 (No matching global)
    translate_hits = 7993, untranslate_hits = 0
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: Corporate
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Nico Eisma

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
mcsdguyian

ASKER
I spent a long time trying to figure out why that didn't work I was using the GUI and it kept leading me to think that it was an access rule and not the NAT. THe Extended permit worked perfect!

I do have a final question.  I can ping the interface IP addresses 192.168.50.140 and 192.168.50.140 when I am on that subnet, but not from the other subnet. I would think that I could, because I can ping any other IP address from the subnets across subnets.  Just not the interface IP

Thank you
rauenpc

Hmm... perhaps add "permit icmp any any" to the access lists as well. I can't remember off the top of my head what is required to do that. It can be a bit strange when it comes to certain types of traffic destined for the ASA itself.