Unable to communicate between Interface Networks when internet is enabled on ASA5510.

favolmendes · ‎04-21-2011

Hi,

I have an ASA 5510 working in Routed mode for a company with the following networks. everything works fine as desired.

Below are the interfaces, security and ip addresses .

Ethernet0/0 DC_SERVER security-level 100

ip address 172.16.11.12 255.255.255.0

Ethernet0/1 Branches security-level 50

ip address 172.16.1.254 255.255.255.0

Ethernet0/2 DC_ADMIN security-level 70

ip address 172.16.25.254 255.255.255.0

Now Customer has taken a DSL connection. I have configured the port E0/3 in PPPoE mode and I do get a public IP address.

Ethernet0/3

description broadband connection

nameif Internet

security-level 0

pppoe client vpdn group bsnl

ip address pppoe setroute

I Enable NAT so that the DC_SERVER and DC_ADMIN can access internet, they are able to access the internet. BUT Now my DC_SERVER,

DC_ADMIN and Branches networks are unable to communicate with each other. Nothings works , Ping drops at this point.

Below are the NAT commands to enable internet

NAT (DC_ADMIN) 100 172.16.25.0 255.255.255.0

NAT (DC_SERVER) 100 172.16.11.0 255.255.255.0

Global (Internet) 100 interface

If at this moment I disable NAT , now the Internal Networks are able to communicate with each other.

I don't understand where I am making a mistake. Pls help .\

Below is the firewall configuration. without NAT enabled. I only add the obove NAT statements for internet access.

ASA Version 8.2(1)

!

hostname ciscoasa

enable password cGBMrLCcjheJaVE/ encrypted

passwd cGBMrLCcjheJaVE/ encrypted

names

name 172.16.11.1 App1 description Application server 1

name 172.16.11.2 App2 description Application server 2

name 172.16.11.3 App3 description Application server 3

name 172.16.11.4 App4 description Application server 4

name 172.16.11.16 Additional_DC description Replication DC

name 172.16.11.18 Antivirus_Server description Antivirus_Server

name 172.16.11.7 DB1 description database server1

name 172.16.11.8 DB2 description Database server 2

name 172.16.11.20 Domain_Controller description Main Domain controller

name 172.16.11.5 MIS description MIS server

name 172.16.11.6 Test_Server description Test Server

!

interface Ethernet0/0

description servers are connected to this port

nameif DC_SERVER

security-level 100

ip address 172.16.11.12 255.255.255.0

!

interface Ethernet0/1

description All branches are connected to this port

nameif Branches

security-level 50

ip address 172.16.1.254 255.255.255.0

!

interface Ethernet0/2

description Administrator users connected to this port

nameif DC_ADMIN

security-level 70

ip address 172.16.25.254 255.255.255.0

!

interface Ethernet0/3

description broadband connection

nameif Internet

security-level 0

pppoe client vpdn group bsnl

ip address pppoe setroute

!

interface Management0/0

nameif mgmt

security-level 50

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

object-group service rdp tcp

port-object eq 3389

object-group network All_Servers

description All servers group for branch access

network-object host Additional_DC

network-object host Antivirus_Server

network-object host App1

network-object host Domain_Controller

network-object host App2

network-object host App3

network-object host App4

network-object host MIS

network-object host Test_Server

network-object host DB1

network-object host DB2

access-list Internet_access_in extended permit icmp any any

access-list DC_access_in extended permit icmp any any

access-list DC_access_in extended permit ip any object-group All_Servers

access-list DC_ADMIN_access_in extended permit tcp any any object-group rdp

access-list DC_ADMIN_access_in extended permit icmp any any

access-list DC_ADMIN_access_in extended permit ip any object-group All_Servers

pager lines 24

mtu DC_SERVER 1500

mtu Branches 1500

mtu DC_ADMIN 1500

mtu Internet 1492

mtu mgmt 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

asdm location App2 255.255.255.255 DC_SERVER

asdm location App3 255.255.255.255 DC_SERVER

asdm location App4 255.255.255.255 DC_SERVER

asdm location MIS 255.255.255.255 DC_SERVER

asdm location Test_Server 255.255.255.255 DC_SERVER

asdm location DB1 255.255.255.255 DC_SERVER

asdm location DB2 255.255.255.255 DC_SERVER

asdm location Additional_DC 255.255.255.255 DC_SERVER

asdm location Antivirus_Server 255.255.255.255 DC_SERVER

asdm location Domain_Controller 255.255.255.255 DC_SERVER

no asdm history enable

arp timeout 14400

global (Internet) 1 interface

access-group DC_access_in in interface Branches

access-group DC_ADMIN_access_in in interface DC_ADMIN

access-group Internet_access_in in interface Internet

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 mgmt

http 172.168.25.0 255.255.255.0 DC_ADMIN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 172.16.25.0 255.255.255.0 DC_ADMIN

telnet 0.0.0.0 0.0.0.0 mgmt

telnet 192.16.1.0 255.255.255.0 mgmt

telnet timeout 30

ssh timeout 5

console timeout 0

vpdn group bsnl request dialout pppoe

vpdn group bsnl localname tmucbl

vpdn group bsnl ppp authentication chap

vpdn username tmucbl password 2731087

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password hmTyXifrd1RbLFWE encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1a61843bd133114d24d618a26aee5423

: end

Shrikant Sundaresh · ‎04-21-2011

Hi Favol,

The problem is that you haven't configured NAT rules for the traffic between DC_SERVER, DC_ADMIN and Branches

Your NAT configuration is:

NAT (DC_ADMIN) 100 172.16.25.0 255.255.255.0

NAT (DC_SERVER) 100 172.16.11.0 255.255.255.0

Global (Internet) 100 interface

So when traffic from DC_ADMIN tries to go to Branches, it will match the NAT (DC_ADMIN) 100 but it has no matching Global for the Branches interface and hence gets dropped.

There are two options for you to solve this problem.

1. configure PAT for other interfaces as well. global (Branches) 100 interface

This way, Admin and Server can contact Branches easily

2. Configure NAT exempt for these traffic so that they are not natted at all.

access-list DC_SERVER_EXEMPT permit ip 172.16.11.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list DC_SERVER_EXEMPT permit ip 172.16.11.0 255.255.255.0 172.16.25.0 255.255.255.0

access-list DC_ADMIN_EXEMPT permit ip 172.16.25.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (DC_SERVER) 0 access-list DC_SERVER_EXEMPT

nat (DC_ADMIN) 0 access-list DC_ADMIN_EXEMPT

This way traffic travelling between Server -> Admin,Branches; and Admin-> Branches will be nat exempted.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered, if it has been resolved. Do rate helpful posts. Thanks.