12-02-2008 09:04 AM - edited 03-11-2019 07:20 AM
Hello I need help regarding my ASA configuration. As it turns out I need to allow my inside vlan to communicate with my insidevoice vlan. I am not sure what could be missing in my configuration below:
ASA Version 7.0(8)
!
hostname ASA
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 123.123.123.1 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif insidevoice
security-level 100
ip address 192.168.0.220 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq imap4
access-list outside_access_in extended permit tcp any interface outside eq ldap
access-list outside_access_in extended permit tcp any interface outside eq 222
access-list outside_access_in extended permit icmp any any
access-list toabc extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 25
5.255.255.0
access-list toabcd extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0
255.255.255.0
access-list toabcde extended permit ip 192.168.1.0 255.255.255.0 10.100.100.0 255
.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.100.100.0 255.
255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255
.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu insidevoice 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 222 192.168.1.50 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.243 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ldap 192.168.1.240 ldap netmask 255.255.255.255
static (inside,outside) tcp interface imap4 192.168.1.246 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.246 www netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.246 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.246 smtp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.123.123.2 1
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
ASA#
12-02-2008 09:11 AM
Brian
Add to your existing access-list
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
and then
access-list nonat1 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (insidevoice) 0 access-list nonat1
Jon
12-02-2008 09:31 AM
Thanks Jon, I have added that configuration but it seems that I still cannot ping any host on the insidevoice vlan.
Appreciate all your help.
Please advise....
brian
12-02-2008 10:18 AM
Apologies for that Brian.
On second thoughts can you remove
access-list nonat1 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (insidevoice) 0 access-list nonat1
i don't think that will make it work but it is not needed. The other bit of config ie.
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
is needed because even though you do not need NAT between interfaces of the same level once you apply NAT to an interface you then need to account for all NAT.
Once you've removed the config as above can you run "clear xlate" to clear any existing translations. NOTE - please don't do this on a production firewall during production hours as it clears all existing translations and breaks all connections. You can be more specific with the "clear xlate" command -
http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/c.html#wp1966244
Then try to ping to a machine in your voice LAN from the inside LAN and then have a look in the xlate table and see if you can see a translation for the connection ie.
sh xlate detail
It is my understanding that you do not need an acl between interfaces with the same security level. Is there anything other than ICMP you can try when going from the inside LAN to the voice LAN ?
Jon
12-02-2008 01:49 PM
By default the ASA won't permit traffic between 2 interfaces with the same security level. You could configure the ASA to allow this communication with the command:
(from global config mode)
same-security-traffic permit inter-interface
12-02-2008 01:54 PM
Sean
Thanks for that but if you look at the config Brian posted it already has that line in there.
Jon
12-03-2008 03:39 AM
Jon,
I have tried the last configuration that you have mentioned and have cleared the xlate after office hours but I still cannot ping any host on the insidevoice vlan.
Do you think if I add the configuration below it would make some sense...
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
thanks again... for your ideas and suggestions please refer to the sanitized config above.
gracias,
brian
12-03-2008 04:05 AM
Brian
I did think of asking you to add the icmp inspection and that's why i asked if there was another port perhaps a tcp port you could test the connectivity with because ICMP is not always the most reliable. But my understanding of ICMP inspection is that it is needed for the return traffic from a lower to higher security interface and this is not the case here.
Worth a try i suppose.
One other question. The machines in both your inside LAN and insidevoip LAN, are their respective default-gateways set the the ASA interfaces ?
Jon
12-03-2008 04:41 AM
Jon,
I have added and tried the ICMP inspection but still it can't communicate.
Yes the inside vlan has the default gateway of the ASA's Ethernet0/1 (192.168.1.1). As for the insidevoice vlan, its default gateway is another IP on that vlan which is 192.168.0.249...
Please advise
12-03-2008 05:31 AM
Brian
This could be your problem. What is 192.168.0.249 ?
On the 192.168.0.249 device does it have a route for 192.168.1.0/24 network and if so what is the next-hop ?
If it doesn't have a specific route does it have a default-route and what is the next-hop for that ?
Jon
12-03-2008 05:49 AM
The 192.168.0.249 device does not have a route to the 192.168.1.0/24 network since that device defaults to another dedicated ISP for voice communications.
Is this the cause of my problems?
Appreciate all your help...
12-03-2008 06:02 AM
Could well be. What is happening is that the ping reaches the machine on your insidevoip LAN but then this machine then sends the traffic to 192.168.0.249 which doesn't know how to get to 192.168.1.0/24 network.
You have a couple of options depending on traffic flows. If the traffic is always initiated from the inside LAN to the VOIP lan then the easiest way might well be to NAT all the client IP's from the inside LAN to the address of the interface on the insidevoip LAN. We should try this to see if this is your problem. So ..
1) You have to remove the other config line i gave you - sorry but we now don't want a nat exemption for traffic going from the inside Lan to the insidevoip LAN
no access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
2) then add to your config
global (insidevoip) 1 interface
then try again and let me know.
Jon
12-03-2008 06:41 AM
Jon,
I will try this one after office hours and will update you if it works.
Thanks again for your patience.
brian
12-03-2008 01:20 PM
Oops-I did miss the config line allowing same level communication. We had a similar scenario and our engineering team came up with using multi-context mode. Or reason may be different from yours, but we needed to send traffic to core switches so that dynamic routing will ensure connections to either data center. You could break up the firewall, but it may be overkill.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide