ASA intra-interface communication

Answered Question
Aug 12th, 2010
User Badges:

I have three interfaces configured, outside, inside and dhcp.  The IP for the inside is 10.10.220.101 and dhcp is 10.10.230.1, with same−security−traffic permit intra−interface configured but still not able to communicate between interfaces.  The error I receive from packet-tracer is (acl-drop) flow is denied by configured rule.

Correct Answer by Nagaraja Thanthry about 6 years 7 months ago

Hello,


You are missing NAT statements between inside and LANDHP. Please configure

identity NAT between the interfaces:


static (inside,LANDHCP) 10.10.220.0 10.10.220.0 netmask 255.255.255.0

static (LANDHCP,inside) 10.10.230.0 10.10.230.0 netmask 255.255.255.0


This should allow communication between the inside and LANDHCP interfaces.


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Collin Clark Thu, 08/12/2010 - 08:47
User Badges:
  • Purple, 4500 points or more

The flow drop usually means a NAT is missing. You need NAT when you go from a lower security interface to a higher one. The same−security−traffic permit intra−interface command is used when two interfaces have the same security level. Here's a helpful link.


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml#Same


Hope it helps

Jitendriya Athavale Thu, 08/12/2010 - 10:21
User Badges:
  • Cisco Employee,

you will need same-security-traffic permit inter-interface


intra interface is used when the traffic is entering and exiting from the same interface


here you have 2 different interfaces so you will need inter interface which mean traffic between same security level but on different interfaces


also what code are you running and lastly paste the output of packet tracer if it still doesnt work

stephilewis Thu, 08/12/2010 - 11:05
User Badges:

Yes you are correct I did change from intra to inter, using 7.2.

stephilewis Thu, 08/12/2010 - 11:29
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-ascii-font-family:Cambria; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Cambria; mso-hansi-theme-font:minor-latin;}

edge# packet-tracer input inside icmp 10.10.220.101 8 0 10.10.230.101 detailed


Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x37f0288, priority=1, domain=permit, deny=false

        hits=2085041387, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000


Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow


Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.10.230.101   255.255.255.255 identity


Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x3802b20, priority=500, domain=permit, deny=true

        hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=10.10.220.101, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0


Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule
Collin Clark Thu, 08/12/2010 - 11:34
User Badges:
  • Purple, 4500 points or more

Can you post the ACL and the access group?

stephilewis Thu, 08/12/2010 - 11:58
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-ascii-font-family:Cambria; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Cambria; mso-hansi-theme-font:minor-latin;}

heres my running



edge(config-if)# show run

: Saved

:

ASA Version 7.2(3)

!

hostname edge

domain-name xxxxxx

enable password sh3Lt8bNBi5BmLfG encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.220.101 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.240

ospf cost 10

!

interface Vlan4

nameif LANDHCP

security-level 100

ip address 10.10.230.1 255.255.255.0

!

interface Vlan22

description LAN Failover Interface

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 4

!

interface Ethernet0/6

switchport access vlan 3

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name benetech.org

same-security-traffic permit inter-interface

access-list outside_access_in extended permit tcp any host xx.xx.xx.xx

access-list outside_access_in extended permit tcp any host xx.xx.xx.xx

access-list outside_access_in extended permit gre any any

access-list outside_access_in extended permit tcp any interface outside eq smtp log debugging

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq pptp log warnings

access-list outside_access_in extended permit tcp any interface outside eq 99

access-list outside_access_in extended permit tcp any interface outside eq 722 log

access-list outside_access_in extended permit tcp any interface outside eq 822 log

access-list outside_access_in extended permit tcp any interface outside eq 922 log

access-list outside_access_in extended permit tcp any interface outside eq www inactive

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit tcp any interface outside eq ftp-data

access-list outside_access_in extended permit tcp any interface outside eq 622

access-list outside_access_in extended permit icmp any interface outside

access-list LAN_access_in extended permit ip any any

access-list inside_access_out extended deny tcp 10.10.220.128 255.255.255.128 any eq smtp log warnings

access-list inside_access_out extended deny udp any eq 4000 any log warnings

access-list inside_access_out extended permit ip any any

access-list WLAN extended permit ip any any

access-list WLAN_access_in extended permit ip any any

access-list WLAN_access_in extended permit udp any any

pager lines 24

logging enable

logging emblem

logging asdm-buffer-size 512

logging buffered informational

logging trap informational

logging asdm informational

logging mail informational

logging from-address [email protected]

logging recipient-address xxxx level errors

logging recipient-address xxxx level errors

logging recipient-address xxxx level errors

logging host inside 10.10.220.69 17/1470 format emblem

logging permit-hostdown

mtu inside 1500

mtu outside 1500

mtu LANDHCP 1500

no failover

failover lan unit primary

failover lan interface BFailover Vlan22

failover key *****

failover interface ip BFailover 172.1.1.1 255.255.255.0 standby 172.1.1.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 822 10.10.220.21 822 netmask 255.255.255.255

static (inside,outside) tcp interface 722 10.10.220.18 722 netmask 255.255.255.255

static (inside,outside) tcp interface 922 10.10.220.29 922 netmask 255.255.255.255

static (inside,outside) tcp interface www 10.10.220.19 www netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.xx ftp-data 10.10.220.67 ftp-data netmask 255.255.255.255

static (inside,outside) tcp interface ftp 10.10.220.67 ftp netmask 255.255.255.255

static (inside,outside) tcp interface 622 10.10.220.21 622 netmask 255.255.255.255

static (inside,outside) tcp interface 99 10.10.220.24 99 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.xx 10.10.220.4 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.xx 10.10.220.23 netmask 255.255.255.255

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.10.220.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ca trustpoint newbroot

crl configure

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns 10.10.220.23

dhcpd domain benetech.local

dhcpd auto_config outside

dhcpd option 3 ip 172.16.30.100

!


!

class-map inspection_default

match default-inspection-traffic

class-map pptp-port

match port tcp eq pptp

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map type inspect dns benetech_dns_map

description Remove 512 byte size restriction

parameters

  message-length maximum 1024

  no protocol-enforcement

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect pptp

policy-map pptp_policy

class pptp-port

  inspect pptp

!

service-policy global_policy global

service-policy pptp_policy interface outside

ntp server xx.xx.xx.xx source outside

ntp server xx.xx.xx.xx source outside

tftp-server inside 10.10.220.69 asa-5505-primary.conf

webvpn

csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg

csd enable

username scott password rj0sFMSN.wCXUz0C encrypted privilege 15

username ryan password esjVcPBkxKv5/kd4 encrypted privilege 15

smtp-server 10.10.220.50 10.10.220.12

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command uauth

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

Cryptochecksum:08ce842567f3902a3dd22fe93b0ddc0d

: end

edge(config-if)#

Collin Clark Thu, 08/12/2010 - 14:13
User Badges:
  • Purple, 4500 points or more

Can you create an ACL with permit ip any any and apply it to the dhcp interface? I don't remember if an ACL is needed between same security interfaces. This will just be a quick test.


access-list dhcp_access extended permit ip any any

access-group dhcp_access in interface LANDHCP

Collin Clark Thu, 08/12/2010 - 14:28
User Badges:
  • Purple, 4500 points or more

You can name the access list anything you like, I just named it dhcp_access.

stephilewis Thu, 08/12/2010 - 14:32
User Badges:

ok i completed the task i am permitting all ip traffic both ways without success, oddly enough from the workstation i cannot ping the gateway which is the landhcp interface.  from the console i can ping the landhcp but not past this.

Collin Clark Thu, 08/12/2010 - 14:34
User Badges:
  • Purple, 4500 points or more

Can you run the packet trace with the ACL applied and post the results?

stephilewis Thu, 08/12/2010 - 14:46
User Badges:

I am heading out for the day but will run one tomorrow and post


Thank you,

stephilewis Fri, 08/13/2010 - 11:06
User Badges:


edge(config)# packet-tracer input inside icmp 10.10.220.101 8 0 10.10.200.105 $


Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow


Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.200.0     255.255.255.0   LANDHCP


Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x3802b20, priority=500, domain=permit, deny=true
        hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.10.220.101, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: LANDHCP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


edge(config)#


in  id=0x3802b20, priority=500, domain=permit, deny=true
        hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.10.220.101, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: LANDHCP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


edge(config)# packet-tracer input inside icmp 10.10.220.101 8 0 10.10.200.1 de$


Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow


Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.200.1     255.255.255.255 identity


Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x3802b20, priority=500, domain=permit, deny=true
        hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.10.220.101, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule



edge(config)# packet-tracer input inside icmp 10.10.200.1 8 0 10.10.200.105 de$


Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow


Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.200.0     255.255.255.0   LANDHCP


Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x4273218, priority=2, domain=permit, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0


Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x37f35b0, priority=0, domain=permit-ip-option, deny=true
        hits=37898762, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0


Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x37f5180, priority=66, domain=inspect-icmp-error, deny=false
        hits=196678, user_data=0x37f50b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0


Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any LANDHCP any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x42cb620, priority=1, domain=nat, deny=false
        hits=0, user_data=0x426a0e8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: LANDHCP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Correct Answer
Nagaraja Thanthry Fri, 08/13/2010 - 12:08
User Badges:
  • Cisco Employee,

Hello,


You are missing NAT statements between inside and LANDHP. Please configure

identity NAT between the interfaces:


static (inside,LANDHCP) 10.10.220.0 10.10.220.0 netmask 255.255.255.0

static (LANDHCP,inside) 10.10.230.0 10.10.230.0 netmask 255.255.255.0


This should allow communication between the inside and LANDHCP interfaces.


Hope this helps.


Regards,


NT

stephilewis Fri, 08/13/2010 - 12:32
User Badges:

I am still getting the following, also I cannot ping from a node on the 10.10.220.0 network to 10.10.200.1 which is the interface on the asa.


packet-tracer input inside icmp 10.10.220.101 8 0 10.10.200.1 de$


Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow


Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (LANDHCP,inside) 10.10.200.0 10.10.200.0 netmask 255.255.255.0

  match ip LANDHCP 10.10.200.0 255.255.255.0 inside any

    static translation to 10.10.200.0

    translate_hits = 3, untranslate_hits = 34

Additional Information:

NAT divert to egress interface LANDHCP

Untranslate 10.10.200.0/0 to 10.10.200.0/0 using netmask 255.255.255.0


Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x3802b20, priority=500, domain=permit, deny=true

        hits=10, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=10.10.220.101, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0


Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: LANDHCP

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule


edge(config)#

Nagaraja Thanthry Fri, 08/13/2010 - 12:38
User Badges:
  • Cisco Employee,

Hello,


First of all, you cannot ping an interface IP from workstations connected to

a different interface. The firewall natively blocks that traffic for

security reasons.


I see from your packet tracer that you are trying to ping 10.10.200.1 IP. I

am not seeing that IP in your configuration (may be I am missing something).

Can you please post your current running configuration here?


Regards,


NT

stephilewis Tue, 10/12/2010 - 11:10
User Badges:

There was two issues I had to add nat statements, also I was connecting through the same switch thus creating a loop.


Added nat statements and segmented networks and all works great! 


Thank you to everyone who responded.


Stephen

halooos111 Sat, 10/29/2011 - 00:36
User Badges:

hallo stephe, how did u solve it, i have the same problem as u had?


Tony

Actions

This Discussion