Ports on ASA

Answered Question
Apr 26th, 2010
User Badges:

We have 4 ports on the ASA 5510.  Port 0 is Outside, Port 1 is inside, Ports 2 and 3 are not in use.

1.  If I configure ports 2 and 3 as Inside interfaces, using the same subnet as port 1 (192.168.100.0), do I connect ports 1, 2, and 3 using cross over cables?  Is there a special configuration that I need to configure so that there is communication between the servers in these ports? 


2.  If I configure ports 2 and 3 as Inside interfaces, would you use the same subnet or different subnets from port 1?


3.  What do people normally use ports 2 and 3?


Let me know if you want to see the current config or need additional information.  Thanks.

Correct Answer by Jennifer Halim about 6 years 10 months ago

1) The static NAT statement should be as follows:

static (Dmz,outside) 66.102.7.89 192.168.102.3 netmask  255.255.255.255


2) Split tunnel ACL used to be extended ACL in PIX version 6.3 and below, however, since PIX/ASA version 7.0 and above, you would need to use standard ACL to configure split tunnel. Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1404816


Hope that answers your questions.

Correct Answer by Jennifer Halim about 6 years 10 months ago

Hi Laura,


1) To ping to 192.168.102.3 from 192.168.100.1, you would need to add the following line:

static (Inside,Dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0


The following line is incorrect, so you might want to remove it:

static (Inside,Dmz) 66.102.7.89 192.168.102.3 netmask 255.255.255.255


2) To ping to 192.168.100.1 from 192.168.102.3, you would need to configure access-list on DMZ interface, because traffic from low security level to high security level is not permitted by default:

access-list dmz-acl permit icmp any any

access-group dmz-acl in interface Dmz


3) To ping 192.168.102.3 when connected via VPN Client, you would need to configure the following:

access-list dmz-nonat permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0

nat (Dmz) 0 access-list dmz-nonat


I have also had a look at your split tunnel ACL, you are using extended ACL for majority of the split tunnel ACL, it needs to be standard ACL instead.

For example:

The following extended ACL:

access-list split-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list split-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0


Needs to be changed to standard ACL:

access-list split-acl standard permit 192.168.100.0 255.255.255.0
access-list split-acl standard permit 192.168.102.0 255.255.255.0


The split tunnel ACL: "split-acl" is currently applied to vpn group "techsupport", so after the above changes, you should be able to ping 192.168.102.3 from "techsupport" vpn group.


Hope that helps.

Correct Answer by Jennifer Halim about 6 years 11 months ago

Yes you can.


Example:

Inside: 192.168.100.0/24 (security level 100)

DMZ: 192.168.101.0/24 (security level 80)


On the configuration, you would have the following:

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0


You need to add access-list on the dmz interface if you would like the dmz subnet to communicate to the inside subnets.

Correct Answer by Jennifer Halim about 6 years 11 months ago

1) You can't configure port 2 and 3 to be in the same subnet as port 1 on ASA 5510. They are not switch port. All ports on ASA 5510 are routed ports, so you have to configure different subnets for each port.


2) If you are using port 2 and 3 as an interface, they need to be in different subnets from inside interface.


3) People normally uses the other spare ports for DMZ zone - where your server zone will be separated from outside and inside networks.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
Jennifer Halim Mon, 04/26/2010 - 20:06
User Badges:
  • Cisco Employee,

1) You can't configure port 2 and 3 to be in the same subnet as port 1 on ASA 5510. They are not switch port. All ports on ASA 5510 are routed ports, so you have to configure different subnets for each port.


2) If you are using port 2 and 3 as an interface, they need to be in different subnets from inside interface.


3) People normally uses the other spare ports for DMZ zone - where your server zone will be separated from outside and inside networks.


Hope that helps.

laurabolda Mon, 04/26/2010 - 20:44
User Badges:

Halijenn,


Thanks very much for your information and prompt response.  So, port 2 and 3 need to be on a different subnets from port 1.  Is it possible to make the servers on port 1 to communicate to servers on port 2?  For example, port 1 has 192.168.100.0 and port 2 has 192.168.101.0.  Thanks.

Correct Answer
Jennifer Halim Mon, 04/26/2010 - 20:49
User Badges:
  • Cisco Employee,

Yes you can.


Example:

Inside: 192.168.100.0/24 (security level 100)

DMZ: 192.168.101.0/24 (security level 80)


On the configuration, you would have the following:

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0


You need to add access-list on the dmz interface if you would like the dmz subnet to communicate to the inside subnets.

laurabolda Fri, 05/07/2010 - 11:01
User Badges:

Halijenn,


I just added port 2 as DMZ.  From the ASA, I am able to ping to the workstation 192.168.102.3.  From the workstation 192.168.102.3, I am able to ping to 192.168.102.250 which is port 2 of the ASA.   I am unable to ping to 192.168.102.3 from 192.168.100.1.  I am unable to ping to 192.168.102.3 when I login to VPN client with techsupport group policy.


Attached is the config file.  Please let me know if you need additional information.


Thanks.

Federico Coto F... Fri, 05/07/2010 - 11:09
User Badges:
  • Green, 3000 points or more

Laura,


To be able to communicate from the inside to DMZ (192.168.100.1) to (192.168.102.3) you require NAT (if having nat-control enabled), and either ACL permitting the ICMP repiles back or inspection of ICMP.


Add the following command to see if it works:

global (DMZ) 1 interface


To be able to PING the DMZ devices when connected via VPN, you need to add the bypassing rules for NAT (as you have for the inside interface):

nat (Inside) 0 access-list nonat


Federico.

laurabolda Fri, 05/07/2010 - 12:13
User Badges:

Federico,


Thanks for your prompt response and information.  I am still unable to ping from 192.168.100.1 to 192.168.102.3.  I am not able to ping to 192.168.102.3 when I login to Cisco VPN client with the techsupport group policy.  Do you have any other suggestions?


Thanks.


Laura

Federico Coto F... Fri, 05/07/2010 - 12:31
User Badges:
  • Green, 3000 points or more

Communication between the inside and DMZ will not be translated because of this:


access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0

nat (Inside) 0 access-list nonat


The above line will allow communication between those networks without NAT.


Try adding the following:

access-list DMZ permit ip any any

access-group DMZ in interface DMZ


Federico.

laurabolda Fri, 05/07/2010 - 12:46
User Badges:

Thanks for your prompt response and information.  Now, I can't ping the DMZ interface 192.168.102.250 from the ASA.  Do you want me to start configure DMZ interface from scratch?  Thanks.

Federico Coto F... Fri, 05/07/2010 - 12:48
User Badges:
  • Green, 3000 points or more

Laura,


You cannot PING the DMZ's IP 192.168.102.250 from the ASA itself?

Yes, go ahead and reconfigure the DMZ interface from scratch and let's take it from there.


Federico.

laurabolda Fri, 05/07/2010 - 12:56
User Badges:

Thanks Federico.  I probably won't be able to reconfigure the DMZ interface today.  Looks like I will have to continue this on the weekend or Monday.  I need to take care of the production problems.  I will let you know the status.


Thanks very much for your help.

Correct Answer
Jennifer Halim Fri, 05/07/2010 - 16:57
User Badges:
  • Cisco Employee,

Hi Laura,


1) To ping to 192.168.102.3 from 192.168.100.1, you would need to add the following line:

static (Inside,Dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0


The following line is incorrect, so you might want to remove it:

static (Inside,Dmz) 66.102.7.89 192.168.102.3 netmask 255.255.255.255


2) To ping to 192.168.100.1 from 192.168.102.3, you would need to configure access-list on DMZ interface, because traffic from low security level to high security level is not permitted by default:

access-list dmz-acl permit icmp any any

access-group dmz-acl in interface Dmz


3) To ping 192.168.102.3 when connected via VPN Client, you would need to configure the following:

access-list dmz-nonat permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0

nat (Dmz) 0 access-list dmz-nonat


I have also had a look at your split tunnel ACL, you are using extended ACL for majority of the split tunnel ACL, it needs to be standard ACL instead.

For example:

The following extended ACL:

access-list split-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list split-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0


Needs to be changed to standard ACL:

access-list split-acl standard permit 192.168.100.0 255.255.255.0
access-list split-acl standard permit 192.168.102.0 255.255.255.0


The split tunnel ACL: "split-acl" is currently applied to vpn group "techsupport", so after the above changes, you should be able to ping 192.168.102.3 from "techsupport" vpn group.


Hope that helps.

laurabolda Fri, 05/07/2010 - 19:14
User Badges:

Halijenn,


Thank you very much for taking time to look at the config.  I just fixed some of the production problems.  So, my brain is shut down.  I will go back and look at your suggestions.   I really appreciate you are taking time to help me out. Thanks again.


Laura

laurabolda Sat, 05/08/2010 - 22:48
User Badges:

Halijenn,


I won't be able to test today.  I think I disconnected the cable on port 2 on Friday.  I need to come in the office to check the physical connection.  I have some questions:


1.  You said


"The following line is incorrect, so you might want to remove it:

static (Inside,Dmz) 66.102.7.89 192.168.102.3 netmask 255.255.255.255"


If I want to NAT the private web server IP address 192.168.102.3 to a public IP address, how would you write it?


2.  You  recommended to change the Extended Split-ACL to Standard Split-ACL.  Is it because the Extended ACL is not necessary or is it incorrect coding?


Again, thank you very much for taking time to look at the config.

Correct Answer
Jennifer Halim Sat, 05/08/2010 - 22:56
User Badges:
  • Cisco Employee,

1) The static NAT statement should be as follows:

static (Dmz,outside) 66.102.7.89 192.168.102.3 netmask  255.255.255.255


2) Split tunnel ACL used to be extended ACL in PIX version 6.3 and below, however, since PIX/ASA version 7.0 and above, you would need to use standard ACL to configure split tunnel. Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1404816


Hope that answers your questions.

laurabolda Mon, 05/10/2010 - 07:58
User Badges:

Halijenn,


Thank you very much for your prompt response and information.  Your suggestions work!!!.  You are great!!!  Have a nice day.


Laura

Actions

This Discussion