Access to inside network from second vlan

Unanswered Question
Feb 24th, 2009

I placed a network 10.71.180.128/25 (VLAN71) behind the inside interface of my ASA5505. I have a server on this network that i have to access from both the internet and from inside my network. I understand i can create a NAT rule to access the inside server from the internet, but have not been able to figure out how I can have computer (10.100.10.1) in other internal subnet 10.100.10.0/28 access server 10.71.180.140. I only have basic package on ASA5505.

Help please.

Mike

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
michael.m.williams Tue, 02/24/2009 - 13:10

The way we structure our PCI compliance networks is to place them behind an ASA. VLAN71 is the network that needs to be isolated, but I have a server in VLAN that exchanges information with one of the server in VLAN71. Vender needs to come in from outside to mange the server in VLAN71

OK - firstly from the config you posted, the interface in VLAN100 E0/4 is shutdown, you need to open it.

Secondly I would change the VLAN100 security level from 100 to a lower number. As interfaces with the same level do not have to go thru an access-list. Currently this breaks your PCI compliance.

Thirdly just to make sure I would configure a NAT exemption between the 2 VLAN interfaces.

HTH>

michael.m.williams Wed, 02/25/2009 - 14:57

E 0/5 is now active, lowered security level to 0 on VLAN 100

But I don't really understand the NAT excemption rule. I want 10.100.10.1 to be able to access 10.71.180.136 (inside network) server.

Mike

OK - personally I would have the security level to 50 - then I know

My inside is 100 = totally trusted

My outside is 0 = totally un-trusted

My VLAN100 is 50 = can access the internet, but I need to write an acl for traffic originating in the VLAN100 to the inside.

You must look at your NAT - bu default all traffic passing from a lower interface to a higher and vice versa is natt'ed.

So I would have something likeP:-

global (outside) 1 interface

nat (inside) 1 w.w.w.w x.x.x.x

nat (VLAN100) 1 y.y.y.y z.z.z.z

The above will NAT all traffic to the internet using the outside IP address, then the nat exemption

access-list no-nat permit ip w.w.w.w x.x.x.x y.y.y.y z.z.z.z

access-list no-nat-permit ip y.y.y.y z.z.z.z w.w.w.w x.x.x.x

nat (inside) 0 access-list no-nat

nat (VLAN100) 0 access-list no-nat

The above tells the firewall not to nat when the source and destinatiobn match = everything else should be natt'ed.

w.w.w.w x.x.x.x = VLAN 71 IP subnet & mask

y.y.y.y z.z.z.z = VLAN100 IP subnet & mask

Then you need to allow access from server to server

access-list allow-server permit ip host 10.100.10.1 host 10.71.100.136

access-group allow-server in interface VLAN100

HTH>

michael.m.williams Fri, 02/27/2009 - 07:16

It would not allow me to enter

nat(VLAN100) 1 10.100.10.0 255.255.255.128

Currently there is no nameif for the interface. So I attempted to add on. here is the error I got.

ERROR: This license does not allow configuring more than 2 interfaces with

nameif and without a "no forward" command on this interface or on 1 interface(s)

with nameif already configured.

Do i need to upgrade the license first?

Mike

This error has occured due to a license limitation on ASA. You need to obtain the Security Plus license in order to configure more VLANs as in routed mode. Only three active VLANs can be configured with the Base license, and up to 20 active VLANs with the Security Plus license. You can create a third VLAN with the Base license, but this VLAN only has communication either to the outside or to the inside but not in both directions. If you need to have the communication in both directions, then you need to upgrade the license. Also, if you use the Base license, allow this interface to be the third VLAN and limit it from initiating contact to one other VLAN with the hostname(config-if)# no forward interface vlan number command. Thus the third VLAN can be configured.

go to:-

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/ef.html#wp1931294

for the "forward interface" command & explaination.

HTH>

Actually just thinking about it another possible solution would be:-

Move the inside interface into it's own interface. Then create a sub-interface and tag it with a vlan id.

On your switch either make the physical port conneecting to the ASA a trunk port or.......have it as a normal switch port in the inside VLAN, then if your switch supports it use the AUX vlan for your DMZ.

HTH>

michael.m.williams Fri, 02/27/2009 - 09:54

No VLAN 100 does not have to access outside interface, just talk to server on inside VLAN.

I have configured everything for nat exemption and added no forward command to outside interface. (vlan 2). I went ahead and confiured two test laptops on in vlan 71 (inside) 10.71.180.135 and one in VLAN 100, 10.100.10.114. To check connectivity I pinged from inside ip to VLAN 100 on the ASA CLI and I am good, but can't ping from 10.100.10.114 ip to computer on inside interface or ping inside interface.

Thanks for your help.

Mike

OK - firstly you have a config error:-

access-list allow-server extended permit ip host 10.100.10.114 host 10.71.100.135

should read:-

access-list allow-server extended permit ip host 10.100.10.114 host 10.71.180.135

secondly have you configured the default gateway on the laptops to the correct ASA interface IP address ?

post the output of

"show access-list allow-server"

michael.m.williams Fri, 02/27/2009 - 11:22

Config error corrected. Thanks for that. I can't change the default gateway for VLAN 100 because this is an existing network that has other servers on it. 10.100.100.1 provides services to the computers within that network and also needs to communicate with server within VLAN 71 (PCI network). The inside laptop is set up as DHCP and has the correct DFG.

Yes i can ping the 10.71.180.135 when i change the default gateway 10.100.10.114 to 10.100.10.120. If there another way to reach the inside network from VLAN 100 without changing default gateway?

Mike

Actions

This Discussion