Link to home
Start Free TrialLog in
Avatar of mcsdguyian
mcsdguyianFlag for United States of America

asked on

ASA 5505 (2) Internal VLANs cannot communicate with each other

I have setup 2 internal VLANs. Both VLans can access the internet , but the cannot access each other.  I  am including my sanitized  config

Result of the command: "show config"

: Saved
: Written by enable_15 at 09:11:10.072 UTC Tue Apr 15 2014

ASA Version 8.2(5)


interface Ethernet0/0
 switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2
 switchport access vlan 15

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5
 switchport access vlan 5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1
 nameif inside
 security-level 100
 ip address

interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.34

interface Vlan5
 description Guest Access
 nameif GuestAccess
 security-level 10
 ip address

interface Vlan15
 no forward interface Vlan5
 nameif Corporate
 security-level 100
 ip address

ftp mode passive
dns server-group DefaultDNS

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network inside-subnet
object-group network Corporate_outside
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
access-list internal extended permit ip any any
access-list internal extended permit icmp any any
access-list Inside-to-any extended permit ip any
access-list Corporate_inbound extended permit icmp any any
pager lines 24
logging enable
logging asdm informational

mtu inside 1500
mtu outside 1500
mtu Corporate 1500
mtu GuestAccess 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask
global (outside) 2 interface
nat (inside) 2
nat (Corporate) 2
static (inside,outside) XX.XX.XX.35 netmask
static (inside,outside) XX.XX.XX.40 netmask
static (inside,outside) XX.XX.XX.36 netmask
access-group outside-access-in in interface outside
route outside XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 5
ssh inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

class-map inspection_default
 match default-inspection-traffic

policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect ip-options
  inspect http
  inspect ils

Avatar of rauenpc
Flag of United States of America image

You will need to have a nat statement for any traffic that crosses between two interfaces, even if you don't need to nat. Essentially, you would be defining a nat to more or less not NAT the traffic.

static (inside,Corporate) netmask

There may be other things going on. If the NAT doesn't fix it, run a packet tracer both directions and post the results.
Avatar of mcsdguyian


ok I did that but it still does not work.

I get the following Error "(acl-drop) Flow denied by configured rule"

I have only the default rules applied to the inside and corporate interface.  Plase see the attached files for the screen shots of the GUI

Thanks for your help
I didn't think that you'd need the ACL for same security traffic, but perhaps you do. Apply an acl to both interfaces and specifically permit the traffic. The ACL could simply be a "permit any any", but at the least needs to permit subnet to subnet traffic.

IMPORTANT - Don't forget that there is an implicit deny at the end of any acl. If you create an acl and only permit inside subnet to corporate subnet, that will be the ONLY traffic allowed. All internet traffic will break, hence, my suggestion of possibly going with a "permit any any" type of ACL.

You could give this a shot, and again, if it doesn't work, post the packet tracer output. It is more useful to me to have the command line packet tracer output if possible.
I don't understand how I would permit the subnet to subnet traffic.  I am a newbie to the ASA and have spent hours trying to get this working.  Please explain how I would do that

its weird and I don't know what I am doing wrong, but I do an any to any IP Permit. and the trace is dropped because of the any to ip deny that is a default rule.
here is the results of the packet tracer

Result of the command: "packet-tracer input inside icmp 0 0"

Phase: 1
Result: ALLOW
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Subtype: input
Result: ALLOW
Additional Information:
in   Corporate

Phase: 3
Result: ALLOW
Implicit Rule
Additional Information:

Phase: 4
Result: ALLOW
Additional Information:

Phase: 5
Subtype: np-inspect
Result: ALLOW
Additional Information:

Phase: 6
Type: NAT
Result: ALLOW
static (inside,Corporate) netmask
  match ip inside Corporate any
    static translation to
    translate_hits = 91, untranslate_hits = 75
Additional Information:
Static translate to using netmask

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
static (inside,Corporate) netmask
  match ip inside Corporate any
    static translation to
    translate_hits = 91, untranslate_hits = 75
Additional Information:

Phase: 8
Result: ALLOW
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
nat (Corporate) 2
  match ip Corporate inside any
    dynamic translation to pool 2 (No matching global)
    translate_hits = 7993, untranslate_hits = 0
Additional Information:

input-interface: inside
input-status: up
input-line-status: up
output-interface: Corporate
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Avatar of Nico Eisma
Nico Eisma
Flag of Philippines image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I spent a long time trying to figure out why that didn't work I was using the GUI and it kept leading me to think that it was an access rule and not the NAT. THe Extended permit worked perfect!

I do have a final question.  I can ping the interface IP addresses and when I am on that subnet, but not from the other subnet. I would think that I could, because I can ping any other IP address from the subnets across subnets.  Just not the interface IP

Thank you
Hmm... perhaps add "permit icmp any any" to the access lists as well. I can't remember off the top of my head what is required to do that. It can be a bit strange when it comes to certain types of traffic destined for the ASA itself.