lan to lan with asa5505 on the same phisical network

andrea.cicchelli · ‎10-29-2010

Hi,

I'm a newbie in networking.

I have a asa 5505 and I need to make a connection to a lan 192.168.10.0 and another lan 192.4.0.0 in both directions.

The two lan are on the same phisical network.

Now from one i can see the other bat not in the inverse direction.

I found a lot of documentation solving the problem between two lan over internet with differnt type of vpn.

I found a lot of documentation with lan,wan and dmz.

Nothing about my problem.

It' s possible to do this connection using only 1 router, as in my situation ?

If so, how ?

Thanks a lot

Andrea

Federico Coto Fajardo · ‎10-29-2010

Hi,

You can have the ASA acting as a router in terms of routing between different subnets.

Can you provide a simple drawing of what you're trying to accomplish so we can help you out?

Federico.

andrea.cicchelli · ‎10-29-2010

This is a simple diagram

I need to use from a lan the server of the other and viceversa. At this moment I can use from every pc in lan A the machines in lan B,even if, to do this, I need to use machine's ip address of lan B (this should be a dns problem). I used the standard asa configuration of Nat so there is a dinamical nat from lan A to asa lan b interface (192.168.10.1). All machine of lan A are in the Lan B with address 192.168.10.1.

My goal is to simultaneously achive the opposite, so using olso the machine of lan A from lan B and perhaps should be better to can distinguish all single pc connected.

I hope I was clearer

Andrea

Federico Coto Fajardo · ‎10-29-2010

Ok.

If you have two interfaces on the 5505 most likely both have a different security level?

If so... remember the rules...

Dynamic NAT --> to allow traffic from a higher security to a lower security

Static NAT & ACL --> to allow traffic from a lower security to a higher security

If you have both interfaces configured with the same security level, you don't need NAT nor ACL (if having nat-control disabled).

Federico.

stevjarbeck · ‎11-02-2010

What software lic do you have for your ASA? This can be a problem with the 5505.

You could create 2 VLANs with the same security level and use these commands:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

andrea.cicchelli · ‎11-03-2010

I have license Base on 5505.

But I have only two vlan, so this should not be a problem.

Andrea.

andrea.cicchelli · ‎11-03-2010

So, I had put the two interfaces on the same security level (100),

I had put also

"same-security-traffic permit inter-inaterface" and

"same-security-traffic permit intra-inaterface"

I had put a flag on "enabled traffic through the firewall without address translation" and now i have not "nat-control" on the config.

In this situation i can no more see from lan A the lan B (and obviously viceversa).

So even though I had put this configuration, I still need a traslation rule to access the resources placed in the two lan.

It's correct ?

I used Nat rules to put again the dynamic rule from lan A to lan B interface. So, again from lan A I can see lan B's resources.

But not viceversa.

Andrea

stevjarbeck · ‎11-03-2010

Yes, if nat is enabled on the interfaces you will need to create an ACL denying NAT to the two networks.

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 192.168.x.0 255.255.255.0

do this with both vlans to allow traffic both ways.

Look at this link for additional NAT examples: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042392

Hopefully this helps, let me know.

Steve

andrea.cicchelli · ‎11-03-2010

I didn't solve it.

Maybe it can be useful to help me. see my config.

The two network, with this configuration, do not see each other

When I try to use "Packet Tracer" the packet is dropped by inplicit incoming rule (deny ip any to any on inside and on outside)

Andrea

: Saved
:
ASA Version 8.0(3)6
!
hostname ciscoasa
enable password qPLg0LjA.vA0rtYX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.4.0.20 svrdico4v
name 192.168.1.20 svrdico4v_in
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 100
ip address 192.4.0.26 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_nat0_outbound extended permit ip 192.4.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.4.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (outside) 0 access-list outside_nat0_outbound
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.4.0.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0ef6a95e47323bc1f60b711f88887646
: end

stevjarbeck · ‎11-04-2010

I have an ASA5505 at home, let me set it up this weekend and replicate your network enviroment. I will post my config sometime Sunday/Monday if I get it working.

Steve

stevjarbeck · ‎11-06-2010

I tested this config and it works, modify the ip addresses for your needs:

I had one PC connected to eth 0/0 with the below network config:

IP 172.16.17.2

GW: 172.16.17.254

SM: 255.255.255.0

The other PC connected to eth 0/7 had this network config

IP: 172.16.16.2

GW: 172.16.16.254

SM: 255.255.255.0

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa

names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.16.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 100
ip address 172.16.17.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface

telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a290cdca4acbe2737852042686be3dea
: end

andrea.cicchelli · ‎11-18-2010

Sorry for the delay of

this response and thanks for your time.

I tried your configuration but it doesn't work.

This is the config

!
interface Vlan1
nameif inside
security-level 100
ip address 192.4.0.26 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 100
ip address 192.168.1.26 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 outside
http 192.4.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.180-192.168.1.181 outside
dhcpd enable outside
!
dhcpd address 192.4.0.180-192.4.0.195 inside
!

threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!

With this configuration, that should be the some of yours, from outside I can see inside (ping,http,etc)

When i use a service of inside from outside, for example, connetting to the web server 192.4.0.xx my ip in connection is 192.168.1.xx

So this should be my goal.

But from inside I can not see outside.

When i try to use Packet Tracer i have no problem from one interface to the other in both direction and using both address.

If I add at this configuration

nat (inside) 1 192.4.0.0 255.255.255.0

from inside i can see outside (ping,http,etc) bat not viceversa

And, obviously, in ouside network I arrive with the outside interface address (192.168.1.26)

I think, with your help, to be closer to the solution.

Thanks

Andrea