ASA 5505 (2) Internal VLANs cannot communicate with each other

mcsdguyian
mcsdguyian used Ask the Experts™
on
I have setup 2 internal VLANs. Both VLans can access the internet , but the cannot access each other.  I  am including my sanitized  config

Result of the command: "show config"

: Saved
: Written by enable_15 at 09:11:10.072 UTC Tue Apr 15 2014

ASA Version 8.2(5)

names

interface Ethernet0/0
 switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2
 switchport access vlan 15

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5
 switchport access vlan 5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.140 255.255.255.0

interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.34 255.255.255.240

interface Vlan5
 description Guest Access
 nameif GuestAccess
 security-level 10
 ip address 192.168.1.50 255.255.255.0

interface Vlan15
 no forward interface Vlan5
 nameif Corporate
 security-level 100
 ip address 192.168.40.1 255.255.255.0

ftp mode passive
dns server-group DefaultDNS

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network inside-subnet
object-group network Corporate_outside
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
access-list internal extended permit ip any any
access-list internal extended permit icmp any any
access-list Inside-to-any extended permit ip 192.168.50.0 255.255.255.0 any
access-list Corporate_inbound extended permit icmp any any
pager lines 24
logging enable
logging asdm informational

mtu inside 1500
mtu outside 1500
mtu Corporate 1500
mtu GuestAccess 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask 255.255.255.255
global (outside) 2 interface
nat (inside) 2 192.168.50.0 255.255.255.0
nat (Corporate) 2 192.168.40.0 255.255.255.0
static (inside,outside) XX.XX.XX.35 192.168.50.131 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.40 192.168.50.245 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.36 192.168.50.135 netmask 255.255.255.255
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

class-map inspection_default
 match default-inspection-traffic


policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect ip-options
  inspect http
  inspect ils


Thanks,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You will need to have a nat statement for any traffic that crosses between two interfaces, even if you don't need to nat. Essentially, you would be defining a nat to more or less not NAT the traffic.

static (inside,Corporate) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

There may be other things going on. If the NAT doesn't fix it, run a packet tracer both directions and post the results.

Author

Commented:
ok I did that but it still does not work.

I get the following Error "(acl-drop) Flow denied by configured rule"

I have only the default rules applied to the inside and corporate interface.  Plase see the attached files for the screen shots of the GUI

Thanks for your help
ASA-5505-SS.doc

Commented:
I didn't think that you'd need the ACL for same security traffic, but perhaps you do. Apply an acl to both interfaces and specifically permit the traffic. The ACL could simply be a "permit any any", but at the least needs to permit subnet to subnet traffic.

IMPORTANT - Don't forget that there is an implicit deny at the end of any acl. If you create an acl and only permit inside subnet to corporate subnet, that will be the ONLY traffic allowed. All internet traffic will break, hence, my suggestion of possibly going with a "permit any any" type of ACL.

You could give this a shot, and again, if it doesn't work, post the packet tracer output. It is more useful to me to have the command line packet tracer output if possible.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I don't understand how I would permit the subnet to subnet traffic.  I am a newbie to the ASA and have spent hours trying to get this working.  Please explain how I would do that

thanks

Author

Commented:
its weird and I don't know what I am doing wrong, but I do an any to any IP Permit. and the trace is dropped because of the any to ip deny that is a default rule.

Author

Commented:
here is the results of the packet tracer

Result of the command: "packet-tracer input inside icmp 192.168.50.2 0 0 192.168.40.5"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.40.0    255.255.255.0   Corporate

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,Corporate) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  match ip inside 192.168.50.0 255.255.255.0 Corporate any
    static translation to 192.168.50.0
    translate_hits = 91, untranslate_hits = 75
Additional Information:
Static translate 192.168.50.0/0 to 192.168.50.0/0 using netmask 255.255.255.0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,Corporate) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  match ip inside 192.168.50.0 255.255.255.0 Corporate any
    static translation to 192.168.50.0
    translate_hits = 91, untranslate_hits = 75
Additional Information:

Phase: 8
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (Corporate) 2 192.168.40.0 255.255.255.0
  match ip Corporate 192.168.40.0 255.255.255.0 inside any
    dynamic translation to pool 2 (No matching global)
    translate_hits = 7993, untranslate_hits = 0
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: Corporate
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Senior Network Engineer
Commented:
i see that you have tried using static NATing, but one route you can go is to use NAT-exempt for the PIX instead of static NATing.

you can try the following for NAT-exemption for both inside and Corporate to avoid getting the DROP on the NAT-rpf failure

nat (inside) 0 access-list inside_nat0_outbound
nat (Corporate) 0 access-list Corporate_nat0_outbound

access-list inside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.40.0 255.255.255.0
!
access-list Corporate_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.50.0 255.255.255.0

Open in new window


but you'll probably have to remove the previous static NAT you have placed.

no static (inside,Corporate) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

Open in new window


another thing you can try is add another static NAT for the reverse path

static (Corporate,inside) 192.168.40.0 192.168.40.0 netmask 255.255.255.0

Open in new window


previous static NAT ensures you are doing identity-NAT (NATing to itself) when going inside to Corporate, while the 2nd static NAT ensures you are going identity-NAT when going from Corporate to inside.

You can try either solution and let us know if it did the trick. hope this helps.

Author

Commented:
I spent a long time trying to figure out why that didn't work I was using the GUI and it kept leading me to think that it was an access rule and not the NAT. THe Extended permit worked perfect!

I do have a final question.  I can ping the interface IP addresses 192.168.50.140 and 192.168.50.140 when I am on that subnet, but not from the other subnet. I would think that I could, because I can ping any other IP address from the subnets across subnets.  Just not the interface IP

Thank you

Commented:
Hmm... perhaps add "permit icmp any any" to the access lists as well. I can't remember off the top of my head what is required to do that. It can be a bit strange when it comes to certain types of traffic destined for the ASA itself.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial