Need to communicate/ping to another interface with the same security level

Unanswered Question
Dec 2nd, 2008

Hello I need help regarding my ASA configuration. As it turns out I need to allow my inside vlan to communicate with my insidevoice vlan. I am not sure what could be missing in my configuration below:

ASA Version 7.0(8)

!

hostname ASA

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 123.123.123.1 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

nameif insidevoice

security-level 100

ip address 192.168.0.220 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

access-list outside_access_in extended permit gre any any

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any interface outside eq ssh

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq imap4

access-list outside_access_in extended permit tcp any interface outside eq ldap

access-list outside_access_in extended permit tcp any interface outside eq 222

access-list outside_access_in extended permit icmp any any

access-list toabc extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 25

5.255.255.0

access-list toabcd extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0

255.255.255.0

access-list toabcde extended permit ip 192.168.1.0 255.255.255.0 10.100.100.0 255

.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.100.100.0 255.

255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.2

55.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255

.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

mtu insidevoice 1500

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 222 192.168.1.50 ssh netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.1.243 3389 netmask 255.255.255.255

static (inside,outside) tcp interface ldap 192.168.1.240 ldap netmask 255.255.255.255

static (inside,outside) tcp interface imap4 192.168.1.246 imap4 netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.246 www netmask 255.255.255.255

static (inside,outside) tcp interface pop3 192.168.1.246 pop3 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.246 smtp netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 123.123.123.2 1

snmp-server enable traps snmp authentication linkup linkdown coldstart

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

ASA#

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jon Marshall Tue, 12/02/2008 - 09:11

Brian

Add to your existing access-list

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

and then

access-list nonat1 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (insidevoice) 0 access-list nonat1

Jon

brianbono Tue, 12/02/2008 - 09:31

Thanks Jon, I have added that configuration but it seems that I still cannot ping any host on the insidevoice vlan.

Appreciate all your help.

Please advise....

brian

Jon Marshall Tue, 12/02/2008 - 10:18

Apologies for that Brian.

On second thoughts can you remove

access-list nonat1 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (insidevoice) 0 access-list nonat1

i don't think that will make it work but it is not needed. The other bit of config ie.

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

is needed because even though you do not need NAT between interfaces of the same level once you apply NAT to an interface you then need to account for all NAT.

Once you've removed the config as above can you run "clear xlate" to clear any existing translations. NOTE - please don't do this on a production firewall during production hours as it clears all existing translations and breaks all connections. You can be more specific with the "clear xlate" command -

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/c.html#wp1966244

Then try to ping to a machine in your voice LAN from the inside LAN and then have a look in the xlate table and see if you can see a translation for the connection ie.

sh xlate detail

It is my understanding that you do not need an acl between interfaces with the same security level. Is there anything other than ICMP you can try when going from the inside LAN to the voice LAN ?

Jon

sean.lagerholm Tue, 12/02/2008 - 13:49

By default the ASA won't permit traffic between 2 interfaces with the same security level. You could configure the ASA to allow this communication with the command:

(from global config mode)

same-security-traffic permit inter-interface

Jon Marshall Tue, 12/02/2008 - 13:54

Sean

Thanks for that but if you look at the config Brian posted it already has that line in there.

Jon

brianbono Wed, 12/03/2008 - 03:39

Jon,

I have tried the last configuration that you have mentioned and have cleared the xlate after office hours but I still cannot ping any host on the insidevoice vlan.

Do you think if I add the configuration below it would make some sense...

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

thanks again... for your ideas and suggestions please refer to the sanitized config above.

gracias,

brian

Jon Marshall Wed, 12/03/2008 - 04:05

Brian

I did think of asking you to add the icmp inspection and that's why i asked if there was another port perhaps a tcp port you could test the connectivity with because ICMP is not always the most reliable. But my understanding of ICMP inspection is that it is needed for the return traffic from a lower to higher security interface and this is not the case here.

Worth a try i suppose.

One other question. The machines in both your inside LAN and insidevoip LAN, are their respective default-gateways set the the ASA interfaces ?

Jon

brianbono Wed, 12/03/2008 - 04:41

Jon,

I have added and tried the ICMP inspection but still it can't communicate.

Yes the inside vlan has the default gateway of the ASA's Ethernet0/1 (192.168.1.1). As for the insidevoice vlan, its default gateway is another IP on that vlan which is 192.168.0.249...

Please advise

Jon Marshall Wed, 12/03/2008 - 05:31

Brian

This could be your problem. What is 192.168.0.249 ?

On the 192.168.0.249 device does it have a route for 192.168.1.0/24 network and if so what is the next-hop ?

If it doesn't have a specific route does it have a default-route and what is the next-hop for that ?

Jon

brianbono Wed, 12/03/2008 - 05:49

The 192.168.0.249 device does not have a route to the 192.168.1.0/24 network since that device defaults to another dedicated ISP for voice communications.

Is this the cause of my problems?

Appreciate all your help...

Jon Marshall Wed, 12/03/2008 - 06:02

Could well be. What is happening is that the ping reaches the machine on your insidevoip LAN but then this machine then sends the traffic to 192.168.0.249 which doesn't know how to get to 192.168.1.0/24 network.

You have a couple of options depending on traffic flows. If the traffic is always initiated from the inside LAN to the VOIP lan then the easiest way might well be to NAT all the client IP's from the inside LAN to the address of the interface on the insidevoip LAN. We should try this to see if this is your problem. So ..

1) You have to remove the other config line i gave you - sorry but we now don't want a nat exemption for traffic going from the inside Lan to the insidevoip LAN

no access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

2) then add to your config

global (insidevoip) 1 interface

then try again and let me know.

Jon

brianbono Wed, 12/03/2008 - 06:41

Jon,

I will try this one after office hours and will update you if it works.

Thanks again for your patience.

brian

sean.lagerholm Wed, 12/03/2008 - 13:20

Oops-I did miss the config line allowing same level communication. We had a similar scenario and our engineering team came up with using multi-context mode. Or reason may be different from yours, but we needed to send traffic to core switches so that dynamic routing will ensure connections to either data center. You could break up the firewall, but it may be overkill.

Actions

This Discussion