ASA 5520 Config same-security-level Problem

Unanswered Question
Sep 21st, 2010

Hi All

I thought that putting an ip address on the outside interface,the inside  secure interfaces, a default route to the outside interface, a couple of  NAT statements was all that was needed to get an ASA 5520 working. And that was basically all that was asked.
Like  a lot of other stuff that I'm sure you've seen before, more and more requests were added to the original remit to which I thought, OK, I  know my way round this to a certain degree and I'm sure that I'll work  out something or find a way round it using all the available stuff from  Cisco and the web.( I've got a CCNP Switch exam under my belt,working on  the rest, and a CCNA Security and Wireless and Field Engineer  qualifications, so to a degree consider myself quite knowledgable. So I  thought)
Anyway, the more I tried to fix the problem the worse it  became. I'm not convinced that its too complicated but the solution is  still eluding me.
What I tried to configure was a system  with two  seperate inside networks for Data and Voice protected by a ASA 5520  which acts as a router and sole access to the outside world for both of these inside networks but also as  device that would point to other connected legacy networks attached  to a  Nortel switch located somewhere deep in the system, which are ear-marked for migration to the ASA 5520 once the Nortel switch has been  decommissioned, and some deny statements for email smtp port 25.
After  setting up and proving internet access for both inside networks G0/1  and G0/2 it was discoverd that a ping could not ping from either inside  network to the other and likewise to the outside G0/0 interface although  internet access was still available. I put an icmp inspect command into  the global policy but this didn't work so did a kind of Static NAT/ip  route fudge that seemed to sort the ping problem out. However when  adding commands for VPN tunnels I lost the ping functionality.
This  is where after trying to work out a solution for over an hour I started  grasping at straws, which may explain some commands in my config that  don't make any sense. I just couldn't see where I had went wrong.
Anyway,  the customer is content enough with firewall protected internet access  but its not sitting well with me professionally that I've not provided  them with all that they asked for.
My config now as it stands has  probably a few commands that shouldn't be there and undoubtedly some  that should, but I fear I'm now a bit out of my depth.
Ignoring the  routes to the other networks via the Nortel switch, what I ultimately  need and I know this asking a lot, is for someone  to take my  configuration, correct it and let me see where I've gone wrong. Many thanks


ASA  Version 8.2(1)
hostname ISC-EDI-ASWFW
enable password DVYtjzRh.k2l3Eyj encrypted
passwd  2KFQnbNIdI.2KYOU encrypted
interface GigabitEthernet0/0
nameif  outside
security-level 0
ip address XX.XX.XX.154
interface GigabitEthernet0/1
speed 100
duplex  full
nameif inside1
security-level 100
ip address
interface GigabitEthernet0/2
speed  100
duplex full
nameif inside2
security-level 100
ip  address
interface  GigabitEthernet0/3
no nameif
no security-level
no  ip address
interface Management0/0
nameif management
security-level  100
ip address
ftp  mode passive
dns domain-lookup inside1
dns domain-lookup inside2
dns  domain-lookup outside
dns server-group DefaultDNS
name-server XX.XX.XX.6
same-security-traffic permit inter-interface
same-security-traffic  permit intra-interface
access-list VPN-NONAT extended permit ip
access-list  VPN-NONAT extended permit ip
access-list VPN-NONAT extended permit ip
access-list VPN-NONAT  extended permit ip
access-list  EDI-BRUSS extended permit ip
pager lines 24
logging enable
logging timestamp
logging  buffer-size 16384
logging monitor notifications
logging trap  errors
logging asdm informational
logging host inside1
mtu  management 1500
mtu inside1 1500
mtu inside2 1500
mtu outside  1500
ip local pool VPN-POOL mask
no failover
icmp unreachable rate-limit 1 burst-size  1
icmp permit inside1
icmp permit inside2
no asdm history enable
arp  timeout 14400
global (outside) 1 interface
nat (inside1) 0  access-list VPN-NONAT
nat (inside1) 1
nat  (inside2) 0 access-list VPN-NONAT
nat (inside2) 1
route  outside XX.XX.XX.153 1
route inside1 1
timeout xlate 3:00:00
timeout conn  1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc  0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout  sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout  sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout  tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record  DfltAccessPolicy
aaa-server ACCESS-SRVR protocol radius
aaa-server  ACCESS-SRVR (inside1) host
key Fountain42!
aaa  authentication serial console ACCESS-SRVR LOCAL
aaa authentication  ssh console ACCESS-SRVR LOCAL
aaa authentication enable console  ACCESS-SRVR LOCAL
http server enable
http management
http inside1
http inside2
http redirect outside 80
no  snmp-server location
no snmp-server contact
snmp-server enable  traps snmp authentication linkup linkdown coldstart
crypto ipsec  transform-set VPN-TRSET esp-3des esp-sha-hmac
crypto ipsec  security-association lifetime seconds 28800
crypto ipsec  security-association lifetime kilobytes 4608000
crypto map EDI-BRUSS  10 match address EDI-BRUSS
crypto map EDI-BRUSS 10 set pfs
crypto  map EDI-BRUSS 10 set peer XX.XX.XX.18
crypto map EDI-BRUSS 10 set  transform-set VPN-TRSET
crypto map EDI-BRUSS 10 set  security-association lifetime seconds 25200
crypto map EDI-BRUSS  interface outside
crypto isakmp identity address
crypto isakmp  enable outside
crypto isakmp policy 10
authentication pre-share
encryption  3des
hash sha
group 2
lifetime 25200
telnet timeout 5
ssh inside1
ssh  inside2
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd enable management
threat-detection  basic-threat
threat-detection statistics access-list
no  threat-detection statistics tcp-intercept
ntp server  source outside
enable outside
svc image  disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list  enable
group-policy ANYCONNECT-POLICY internal
group-policy  ANYCONNECT-POLICY attributes
dns-server value
vpn-tunnel-protocol svc webvpn
  svc  keep-installer installed
  svc ask enable default svc timeout 20
username  admin password we1JsUwd6pW4pQ2W encrypted
username dancoop password  NFAr6PJhZEifx4Wo encrypted
username dancoop attributes
service-type  remote-access
tunnel-group telecommuters type remote-access
tunnel-group  TELECOMMUTERS type remote-access
tunnel-group TELECOMMUTERS  general-attributes
address-pool VPN-POOL
default-group-policy  ANYCONNECT-POLICY
tunnel-group TELECOMMUTERS webvpn-attributes
group-alias  sslgroup-users enable
tunnel-group XX.XX.XX.18 type ipsec-l2l
tunnel-group  XX.XX.XX18 ipsec-attributes
pre-shared-key *
class-map  inspection_default
match default-inspection-traffic
policy-map  type inspect dns preset_dns_map
  message-length  maximum 512
policy-map global_policy
class inspection_default
  inspect  dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect  h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect  sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect  sip 
  inspect netbios
  inspect tftp
  inspect icmp
service-policy  global_policy global
prompt hostname context
:  end
no asdm history enable

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
wayneshum80 Fri, 11/26/2010 - 11:55

Once the ASA has dynamic NAT enabled to an outside interface, routing between same security level will not work.

You need to add route exempt the inside interfaces to all private subnet.

pgatt62polly66 Tue, 11/30/2010 - 04:59

Thanks for that Wayne I'll check that out in the lab and look uo route exempt commands.

I don't get much hands on with ASAs, cheers



This Discussion