ASA: Traffic between inside interfaces.

Answered Question
Jul 8th, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabel - Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

Hi all!

I am having a NAT/ACL problem in my home network after I’ve migrated from Zyxel to Cisco.

I used to have a Zywall5 with LAN and DMZ network. The LAN was for my own units and the DMZ was for visitors in my home. On my LAN I had a printserver which DMZ users needed access to sometimes. I just made a firewall rule allowing TCP/515 from DMZ to LAN on the Zywall5 – working fine.

Now I am trying to do the same with my Cisco ASA – and OMG – this is not easy. I have to allow traffic from a VLAN with security level 50 to a VLAN with security level 100 – but only to the printserver.

I am not a CLI expert, so I have been working on this problem in ASDM. I tried many different things suggested by Cisco support documents without any luck. It doesn’t make it easier with Ciscos new NAT-concept, as I am on firmware 8.3(1) on my 5505.

I worked a little with ASAs some time ago and I recall NAT exempt, but this doesn’t exist anymore. As I see it, Cisco suggest you make two static NAT rules to do this, and some ACL magic, and this is where I am stuck now.

It should be very simple – I just need traffic (all or just tcp/515) from my 10.20.33.0/24 network to one host (printserver 10.20.30.3) on my 10.20.30.0/24 network.

I have attached a simple network diagram and my running-config from the ASA.

Hope someone can guide me a little.

Thanks in advance.

/Ulrik


** running-config **


: Saved
:
ASA Version 8.3(1)
!
hostname asa5505
domain-name cisco.com
enable password xxxxxxx encrypted
passwd xxxxxx encrypted
names
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan30
nameif inside.30.LAN
security-level 100
ip address 10.20.30.1 255.255.255.0
!
interface Vlan31
nameif inside.31.DMZ
security-level 30
ip address 10.20.31.1 255.255.255.0
!
interface Vlan32
nameif inside.32.PIR
security-level 50
ip address 10.20.32.1 255.255.255.0
!
interface Vlan33
nameif inside.33.LAN2
security-level 50
ip address 10.20.33.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 30
!
interface Ethernet0/3
switchport access vlan 30
!
interface Ethernet0/4
switchport access vlan 30
switchport trunk allowed vlan 30-33
switchport trunk native vlan 30
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 30
switchport trunk allowed vlan 30-33
switchport trunk native vlan 30
switchport mode trunk
!
interface Ethernet0/6
switchport access vlan 30
!
interface Ethernet0/7
switchport access vlan 30
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name thorup.dk
object network obj-10.20.30.0
subnet 10.20.30.0 255.255.255.0
object network obj-10.20.31.0
subnet 10.20.31.0 255.255.255.0
object network obj-10.20.32.0
subnet 10.20.32.0 255.255.255.0
object network obj-10.20.33.0
subnet 10.20.33.0 255.255.255.0
object network obj-10.20.32.30
host 10.20.32.30
access-list outside_access_in remark share
access-list outside_access_in extended permit tcp any object obj-10.20.32.30 eq 56000
pager lines 24
logging enable
logging trap notifications
logging asdm notifications
logging host inside.30.LAN 10.20.30.11
mtu outside 1500
mtu inside.30.LAN 1500
mtu inside.31.DMZ 1500
mtu inside.32.PIR 1500
mtu inside.33.LAN2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
!
object network obj-10.20.30.0
nat (inside.30.LAN,outside) dynamic interface
object network obj-10.20.31.0
nat (inside.31.DMZ,outside) dynamic interface
object network obj-10.20.32.0
nat (inside.32.PIR,outside) dynamic interface
object network obj-10.20.33.0
nat (inside.33.LAN2,outside) dynamic interface
object network obj-10.20.32.30
nat (inside.32.PIR,outside) static interface service tcp 56000 56000
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.20.30.0 255.255.255.0 inside.30.LAN
http 10.20.32.30 255.255.255.255 inside.32.PIR
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.20.30.0 255.255.255.0 inside.30.LAN
ssh timeout 10
console timeout 0
dhcpd address 10.20.30.30-10.20.30.100 inside.30.LAN
dhcpd auto_config outside interface inside.30.LAN
dhcpd enable inside.30.LAN
!
dhcpd address 10.20.31.30-10.20.31.100 inside.31.DMZ
dhcpd auto_config outside interface inside.31.DMZ
dhcpd enable inside.31.DMZ
!
dhcpd address 10.20.32.30-10.20.32.30 inside.32.PIR
dhcpd dns 208.67.222.222 208.67.220.220 interface inside.32.PIR
dhcpd enable inside.32.PIR
!
dhcpd address 10.20.33.30-10.20.33.100 inside.33.LAN2
dhcpd auto_config outside interface inside.33.LAN2
dhcpd enable inside.33.LAN2
!


threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.20.30.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.20.32.0 255.255.255.0
threat-detection scanning-threat shun duration 300
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 195.234.155.123 source outside
ntp server 78.109.215.91 source outside
ntp server 77.233.251.106 source outside
webvpn
username ulrik password LlM1zI1mbsdx0S1t encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:9ab4e2078ada23e631e450690f31c5e9
: end



Attachment: 
Correct Answer by Nagaraja Thanthry about 6 years 8 months ago

Hello,


Please try pasting the following configuration into command line (if you are using ASDM, you can go to tools--> command line --> multiple lines).


object network obj-10.20.30.3
host 10.20.30.3
nat (inside.30.LAN,inside.33.LAN2) static 10.20.30.3


access-list inside_33_LAN2 permit tcp any host 10.20.30.3 eq 515
access-list inside_33_LAN2 deny ip any 10.20.30.0 255.255.255.0
access-list inside_33_LAN2 permit ip any any


access-group inside_33_LAN2 in interface inside.33.LAN2


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Thu, 07/08/2010 - 05:54
User Badges:
  • Cisco Employee,

Hello,


Please try pasting the following configuration into command line (if you are using ASDM, you can go to tools--> command line --> multiple lines).


object network obj-10.20.30.3
host 10.20.30.3
nat (inside.30.LAN,inside.33.LAN2) static 10.20.30.3


access-list inside_33_LAN2 permit tcp any host 10.20.30.3 eq 515
access-list inside_33_LAN2 deny ip any 10.20.30.0 255.255.255.0
access-list inside_33_LAN2 permit ip any any


access-group inside_33_LAN2 in interface inside.33.LAN2


Hope this helps.


Regards,


NT

Ulrik Thorup Thu, 07/08/2010 - 06:09
User Badges:

Hi Nagaraja.


Thank you!! You just made my day. It works perfect!


/Ulrik

Actions

This Discussion

Related Content