Tuesday, January 25, 2011

ASA 5505 Vlan question

I am setting up a cisco asa 5505 with the base license. I can communicate from inside->outside, outside->inside, inside->home, which is my desired traffic security. I can get http, ssh, and other access from inside->home, but I can't ping from inside->home (192.168.110.0 host to 192.168.7.1 or 192.168.7.0 host).

Can someone explain. My config is listed below

interface Vlan1<br>
 nameif inside<br>
 security-level 100<br>
 ip address 192.168.110.254 255.255.255.0 <br>
!<br>
interface Vlan2<br>
 nameif outside<br>
 security-level 0<br>
 pppoe client vpdn group birdie<br>
 ip address removedIP 255.255.255.255 pppoe <br>
!<br>
interface Vlan3<br>
 no forward interface Vlan1<br>
 nameif home<br>
 security-level 50<br>
 ip address 192.168.7.1 255.255.255.0 <br>
!             <br>
interface Ethernet0/0<br>
 switchport access vlan 2<br>
!             <br>
interface Ethernet0/1<br>
!             <br>
interface Ethernet0/2<br>
!             <br>
interface Ethernet0/3<br>
!             <br>
interface Ethernet0/4<br>
 switchport access vlan 3<br>
!             <br>
interface Ethernet0/5<br>
 shutdown     <br>
!             <br>
interface Ethernet0/6<br>
 shutdown     <br>
!             <br>
interface Ethernet0/7<br>
 shutdown     <br>
!             <br>
ftp mode passive<br>
clock timezone EST -5<br>
clock summer-time EDT recurring<br>
access-list Outside-In extended permit icmp any any <br>
access-list Outside-In extended permit tcp any any eq www <br>
access-list Outside-In extended permit tcp any any eq https <br>
access-list Outside-In extended permit tcp any any eq 5969 <br>
access-list inside_nat0_outbound extended permit ip any 192.168.111.0 255.255.255.224 <br>
access-list standardUser_splitTunnelAcl1 extended permit ip 192.168.111.0 255.255.255.0 any <br>
access-list standardUser_splitTunnelAcl1 extended permit ip 192.168.110.0 255.255.255.0 <br>any 
access-list inside_in extended permit icmp any any <br>
access-list inside_in extended permit ip any any <br>
access-list home_in extended permit icmp any any <br>
access-list home_in extended permit ip any any <br>
pager lines 24<br>
logging enable<br>
logging asdm informational<br>
mtu inside 1492<br>
mtu outside 1492<br>
mtu home 1500 <br>
ip local pool vpnuser 192.168.111.5-192.168.111.20<br>
icmp unreachable rate-limit 1 burst-size 1<br>
asdm image disk0:/asdm-524.bin<br>
no asdm history enable<br>
arp timeout 14400<br>
nat-control   <br>
global (outside) 1 interface<br>
nat (inside) 0 access-list inside_nat0_outbound<br>
nat (inside) 1 0.0.0.0 0.0.0.0<br>
nat (home) 1 192.168.7.0 255.255.255.0<br>
static (inside,outside) tcp interface https 192.168.110.6 https netmask 255.255.255.255 <br>
static (inside,outside) tcp interface www 192.168.110.6 www netmask 255.255.255.255 <br>
static (inside,outside) tcp interface 5969 192.168.110.12 5969 netmask 255.255.255.255 <br>
static (inside,home) 192.168.110.0 192.168.110.0 netmask 255.255.255.0 <br>
access-group inside_in in interface inside<br>
access-group Outside-In in interface outside<br>
access-group home_in in interface home<br>
route outside 0.0.0.0 0.0.0.0 RemovedIP 1<br>
  • The only thing that looks odd to me in your config is the static(inside,home) statement. It seems to be a no-op since the mapped and real addresses are the same. In my config, I have a dmz type network, too, and no static(inside,dmz) statement. (I do have static(dmz,outside) ... for externally-exposed services).

    Anyway, try removing that static and see what effect that has.

    From Heath
  • I tried to remove the static (inside,home) config, but that stopped access from my inside network to home network.

0 comments:

Post a Comment