Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
0
Helpful
4
Replies

Cannot send traffic between two internal interfaces on ASA 5510

osufederal
Level 1
Level 1

‎07-08-2009 07:35 AM - edited ‎03-11-2019 08:52 AM

Hello, I could use some help understanding a configuration concept on an existing ASA 5510. I have four interfaces configured: Outside (security level 0), Inside (security level 100), DMZ (security level 90), and Others (security level 90). My goal is to send https traffic back and forth between a host on the DMZ interface and a host on the Others interface.

The DMZ interface uses the 192.168.1.32/27 network and the Others interface uses the 192.168.1.64/27 network. When I use the "show route" command on the 5510, I can see the two networks are Connected (no static routes, just the correct C entries). I'm not sure why the security levels are exactly the same for those two interfaces (I inherited the configuration), but I decided to leave the security settings alone and added the "same-security-traffic permit inter-interface" command to the running configuration.

There are a number of ACL and NAT entries (entered by others) in the configuration that may be confusing the issue. There is a Global Pool set up for the DMZ interface (192.168.1.93) and the Others interface (192.168.1.44), and whenever I try to send traffic from the DMZ host to the Others host, the packet capture shows the packets going from the DMZ host into the .93 pool (and never entering the .32 network).

At this point, I'm wondering if the existing configuration can be corrected - or should I remove the work done by others and start over? And if I start over (which I am inclined to do), what do I add to or remove from the existing configuration (route, acl, nat) so the traffic moves properly? Thanks in advance for any assistance - I have been researching the 5510 but only have a few weeks of experience with the device.

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎07-08-2009 07:53 AM

Here's a good doc that explains how it works and how to properly configure it.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

Hope that helps.

0 Helpful

osufederal
Level 1
Level 1
In response to Collin Clark

‎07-08-2009 02:43 PM

Thanks for the link to the document. It looks like using a NAT Exempt statement for the two hosts was the simplest way to get them to talk with each other, and now the systems can ping each other. However, I cannot get the host in the DMZ to send https data anywhere (and the DMZ host can't browse out to any web pages, which is how we are testing connectivity). Did I miss something in the configuration?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to osufederal

‎07-09-2009 05:09 AM

Do you have an ACL on the DMZ interface? Can you post your global and NAT statements?

0 Helpful

osufederal
Level 1
Level 1
In response to Collin Clark

‎07-09-2009 07:27 AM

Hello, we do have a lengthy ACL on the DMZ interface, and I did find an entry that was blocking the http and https traffic. I changed the rules in the aclDMZ so I can now access other http and https sites from the DMZ host, but I still cannot access the one address our DMZ host needs to communicate with. In brief, we need a two-way communication that sends and receives http and https traffic. The players are:

- the DMZ host (192.168.1.73),

- the Others router (192.168.1.38), and

- the DistantHost (a global IP address).

The two-way traffic flow needs to go ...

- from the DMZ host through the DMZ interface to the Others interface,

- from the Others interface to a router port on the Others network,

- from the Others router (it's not our router and I cannot log into it) sends the traffic through a private circuit to the DistantHost,

- and the DistantHost sends the data back to the DMZ host along the same pathway.

The DMZ host and the DistantHost need to send and receive data twice for every transaction (once to transmit the data and the second time to authenticate the data source).

Whenever I try to connect from the DMZ host to the DistantHost, using https, the ASA 5510 syslog displays this message:

305005 DistantHost No translation group found for tcp src DMZ:192.168.1.73/1333 dst Others:DistantHost/443

There is a static route in the ASA 5510 (set up by someone else) that looks like it was added to ensure requests to the DistantHost address go through the private circuit connected to the Others router. Here is the static route:

Others 63.241.53.24 255.255.255.255 192.168.1.38 metric 1

And here are the global and nat settings from the ASA 5510 running configuration:

global (Outside) 1 56.12.22.1 netmask 255.255.255.0

global (Others) 1 192.168.1.44 netmask 255.255.255.224

global (DMZ) 1 192.168.1.93 netmask 255.255.255.224

nat (Inside) 0 access-list 80

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (Others) 0 access-list Others_nat0_outbound

nat (Others) 1 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (DMZ) 1 0.0.0.0 0.0.0.0

access-list DMZ_nat0_outbound extended permit ip host 192.168.1.73 host 192.168.1.38

access-list Others_nat0_outbound extended permit ip host 192.168.1.38 host 192.168.1.73

I am challenged by the underlying concept as well as organizing the commands needed to make the connection work. Any help you can offer on the concept and the commands would be greatly appreciated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card