PIX8 Public VLAN and private Vlan problem.

Unanswered Question
Nov 29th, 2009

Hi All,

I have a cisco asa 5520 with a cisco 3750 Switch.   Few VLANs as I have many public ip address and private ip address 192.168.1.x.

ACL is any any permit on all the interface.

I applied interface NAT (PAT)  from private vlan to outside and public address vlans.  But I cannot access private vlan from public Vlan. 

Any ideas? Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sun, 11/29/2009 - 13:38

Tsystemsusa wrote:

Hi All,

I have a cisco asa 5520 with a cisco 3750 Switch.   Few VLANs as I have many public ip address and private ip address 192.168.1.x.

ACL is any any permit on all the interface.

I applied interface NAT (PAT)  from private vlan to outside and public address vlans.  But I cannot access private vlan from public Vlan. 

Any ideas? Thanks.

Could you provide a few more details, the relevant config would be helpful.

If you want to connect from outside to inside then PAT won't work. You will need static NAT statements.

Jon

Tsystemsusa Sun, 11/29/2009 - 15:09

I only have few IP public ip addresses. So I want to use PAT (Interface), but ASA doesn't like static PAT, except dynamics NAT.

ASA Version 8.2(1)
!
hostname fw-s-7-e
domain-name default.domain.invalid

names

!
interface GigabitEthernet0/0
description outside_to_Internet
nameif Internet
security-level 10
ip address 12.xx.xx.131 255.255.255.248
!
interface GigabitEthernet0/1
description Project network of Losltos
nameif project_Losltos
security-level 70
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1.1210
description Project network 1
vlan 1210
nameif net-12.xx.xx.136-29
security-level 80
ip address 12.xx.xx.137 255.255.255.248
!
interface GigabitEthernet0/1.1220
description Project network 2
vlan 1220
nameif net-12.xx.xx.144-28
security-level 80
ip address 12.xx.xx.145 255.255.255.240
!
interface GigabitEthernet0/1.1230
description Project network 3
vlan 1230
nameif net-12.xx.xx.160-27
security-level 80
ip address 12.xx.xx.161 255.255.255.224
!
interface GigabitEthernet0/2
description Redundant line to internet
nameif DSL-backup
security-level 10
ip address 66.xx.xx.195 255.255.255.248
!
interface GigabitEthernet0/3
description Internal wireless
shutdown
nameif Wireless_Nat_Failover
security-level 55
ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
description Interface for management
nameif management
security-level 100
ip address 169.254.100.129 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Internet
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object esp
protocol-object ah
object-group network DM_INLINE_NETWORK_1
network-object 212.xxx.xx4.0 255.255.255.0
network-object 212.xxx.xx5.0 255.255.255.0
access-list Internet_1_cryptomap extended permit ip 12.xx.xx.160 255.255.255.224 object-group DM_INLINE_NETWORK_1
access-list Internet_access_in remark Connection to Firewall in Berlin
access-list Internet_access_in extended permit udp host 212.xxx.xxx.17 host 12.xx.xx.131 eq isakmp
access-list Internet_access_in remark Connection to Firewall in Berlin
access-list Internet_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host 212.xxx.xxx.17 host 12.xx.xx.131
access-list Internet_access_in extended permit ip any any
access-list Internet_access_in remark Connection to Firewall in Berlin
access-list Internet_access_in remark Connection to Firewall in Berlin
access-list project_LosAltos_access_in extended permit ip any any
access-list net-12.xx.xx.136-29_access_in extended deny ip any any
access-list net-12.xx.xx.144-28_access_in extended deny ip any any
access-list DSL-2_access_in extended permit ip any any
access-list Wireless_Nat_Failover_access_in remark Wireless for Guests, Nat & Dual ISPs
access-list Wireless_Nat_Failover_access_in extended permit ip any any
access-list DSL-backup_access_in extended deny ip any any
access-list net-12.xx.xx.160-27_access_in extended permit ip any any
pager lines 24
logging enable
logging monitor debugging
logging buffered debugging
logging asdm debugging
logging flash-maximum-allocation 10240

mtu management 1500
ip verify reverse-path interface Internet
ip verify reverse-path interface DSL-backup
no failover
no monitor-interface Internet
no monitor-interface project_LosAltos
no monitor-interface DSL-backup
no monitor-interface Wireless_Nat_Failover
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Internet) 1 interface
global (DSL-backup) 1 interface
nat (project_LosAltos) 1 192.168.1.0 255.255.255.0 dns norandomseq
nat (Wireless_Nat_Failover) 1 192.168.1.0 255.255.255.0 dns norandomseq
access-group Internet_access_in in interface Internet
access-group project_LosAltos_access_in in interface project_LosAltos
access-group net-12.xx.xx.136-29_access_in in interface net-12.xx.xx.136-29
access-group net-12.xx.xx.144-28_access_in in interface net-12.xx.xx.144-28
access-group net-12.xx.xx.160-27_access_in in interface net-12.xx.xx.160-27 control-plane
access-group DSL-backup_access_in in interface DSL-backup
access-group Wireless_Nat_Failover_access_in in interface Wireless_Nat_Failover
route Internet 0.0.0.0 0.0.0.0 12.xx.xx.129 1 track 1
route DSL-backup 0.0.0.0 0.0.0.0 66.xx.xx.193 254
route Internet 12.127.17.71 255.255.255.255 12.xx.xx.129 1
route Internet 66.134.78.140 255.255.255.255 12.xx.xx.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable

sysopt connection tcpmss 0
sysopt noproxyarp Internet
sysopt noproxyarp project_LosAltos
sysopt noproxyarp net-12.xx.xx.136-29
sysopt noproxyarp net-12.xx.xx.144-28
sysopt noproxyarp net-12.xx.xx.160-27
sysopt noproxyarp DSL-backup
sysopt noproxyarp Wireless_Nat_Failover
sysopt noproxyarp management
sla monitor 123
type echo protocol ipIcmpEcho 12.127.17.71 interface Internet
sla monitor schedule 123 life forever start-time now
service resetinbound interface Internet

service resetoutside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 128
crypto map Internet_map 1 match address Internet_1_cryptomap
crypto map Internet_map 1 set pfs group5
crypto map Internet_map 1 set peer 212.xx.xx.17
crypto map Internet_map 1 set transform-set ESP-AES-256-SHA
crypto map Internet_map 1 set security-association lifetime seconds 1800
crypto map Internet_map 1 set security-association lifetime kilobytes 4608000
crypto map Internet_map 1 set nat-t-disable
crypto map Internet_map interface Internet
crypto isakmp identity address
crypto isakmp enable Internet
crypto isakmp enable net-12.xx.xx.160-27
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
no crypto isakmp nat-traversal
crypto isakmp am-disable
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 169.254.100.133 255.255.255.255 management
ssh 169.254.100.132 255.255.255.255 management
ssh timeout 5
ssh version 2
console timeout 0
management-access management
dhcpd dns 12.127.17.71 67.100.88.27
!
dhcpd dns 12.127.17.71 12.127.17.72 interface Internet
!
dhcpd address 192.168.1.100-192.168.1.120 project_LosAltos
dhcpd dns 12.127.17.71 67.100.88.27 interface project_LosAltos
dhcpd enable project_LosAltos
!
dhcpd address 12.xx.xx.162-12.xx.xx.169 net-12.xx.xx.160-27
dhcpd dns 12.127.17.71 12.127.17.72 interface net-12.xx.xx.160-27
dhcpd enable net-12.xx.xx.160-27
!
dhcpd dns 64.105.172.27 67.100.88.27 interface DSL-backup
!
dhcpd dns 12.127.17.71 67.100.88.27 interface Wireless_Nat_Failover
!
dhcpd address 169.254.100.132-169.254.100.133 management
dhcpd lease 1800 interface management
dhcpd enable management
!

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 198.123.30.132 source Internet prefer
ssl encryption des-sha1
webvpn
tunnel-group 212.xx.xx.17 type ipsec-l2l
tunnel-group 212.xx.xx.17 ipsec-attributes
pre-shared-key *
!
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect icmp
  inspect icmp error
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2dc5a6ae5a4763689b14b8d366fb14fe
: end

Jon Marshall Sun, 11/29/2009 - 16:13

Tsystemsusa wrote:

I only have few IP public ip addresses. So I want to use PAT (Interface), but ASA doesn't like static PAT, except dynamics NAT.


Yes, but without statics you cannot go from a lower to higher security interface unless you disable NAT altogether. So dynamic NAT is good for inside clients going out but dynamic NAT is no good for connections to be initiated from outside to inside.

Not sure what you mean by ASA doesn't like static PAT eg.

static (inside,outside) tcp

should work fine.

Jon

Tsystemsusa Tue, 12/01/2009 - 15:27

Thanks for your advice,

I add a static nat : static (public, private) privateip publicip netmask 255.255.255.224

I can access the private vlan from public ip address vlan, but I cannot access from private vlan to public vlan.

if I only add a NAT 0 publicip privateip, I can access the private vlan from public vlan, but cannot access from private vlan to public vlan too.

Actions

This Discussion