×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5510 Unable to get internal networks talking to each other

Answered Question
Apr 23rd, 2012
User Badges:

Hey,


In need of some help here. I am tasked with transfering all clients from one subnet to the other. I figure the nicest way to do this is to temporarily have the subnets talk to each other in an endeavour to avoid as much downtime as possible. The two internal subnets are:

192.168.0.0/24

192.168.43.0/24 (the intended migration network)


I am beating my head against the desk here as I dont seem to be getting anywhere after the changes I have made. The current configuration is as such:


ASA Version 8.2(5)

!

hostname ciscoasa

domain-name *****

enable password ***** encrypted

passwd ***** encrypted

names

*****

*****

*****

*****

!

interface Ethernet0/0

description Internode SOHO

nameif Outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

description *****

nameif Inside

security-level 100

ip address 192.168.43.1 255.255.255.0

!

interface Ethernet0/2

description *****

nameif Main_Network

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/3

description *****

nameif DMZ

security-level 100

ip address  *****

!

interface Management0/0

nameif management

security-level 100

ip address  *****

management-only

!

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server  *****

name-server  *****

domain-name  *****

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object udp

protocol-object tcp

access-list Outside_1_cryptomap extended permit ip 192.168.43.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list Inside_nat0_outbound extended permit ip 192.168.43.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list Inside_access_in extended permit ip 10.0.0.0 255.0.0.0 192.168.43.0 255.255.255.0

access-list Inside_access_in extended permit ip 192.168.43.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list outside extended permit ip any 192.168.0.0 255.255.255.0

access-list outside extended permit ip any any

access-list Main_Network_access_in extended permit ip 192.168.0.0 255.255.255.0 any

access-list Main_Network_access_in extended permit ip any 192.168.0.0 255.255.255.0

access-list Main_Network_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.43.0 255.255.255.0

access-list Main_Network_access_in extended permit ip 192.168.43.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list Main_Network_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 any

access-list FTPinDMZ extended permit ip 203.30.186.0 255.255.255.0 any

access-list FTPinDMZ extended permit ip any 203.30.186.0 255.255.255.0

access-list Internal_Traversal extended permit ip 192.168.0.0 255.255.255.0 192.168.43.0 255.255.255.0

access-list Internal_Traversal extended permit ip 192.168.43.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging buffered errors

logging asdm errors

logging flash-bufferwrap

mtu Outside 1492

mtu Inside 1500

mtu Main_Network 1500

mtu management 1500

mtu DMZ 1500

failover timeout -1

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Inside) 0 access-list Internal_Traversal

nat (Inside) 0 0.0.0.0 0.0.0.0

nat (Main_Network) 1 access-list Main_Network_nat0_outbound

nat (Main_Network) 1 192.168.0.0 255.255.255.0

nat (DMZ) 1 203.30.186.0 255.255.255.0

static (Main_Network,Outside) tcp interface www Mail02 www netmask 255.255.255.255

static (Main_Network,Outside) tcp interface smtp Mail02 smtp netmask 255.255.255.255

static (Main_Network,Outside) tcp interface ssh Mail02 ssh netmask 255.255.255.255

static (Main_Network,Outside) tcp interface 993 Mail02 993 netmask 255.255.255.255

static (Main_Network,Outside) tcp interface 995 Mail02 995 netmask 255.255.255.255

static (Main_Network,Outside) tcp interface https Mail02 https netmask 255.255.255.255

static (Main_Network,Outside) udp interface 60001 192.168.0.185 3389 netmask 255.255.255.255

static (Main_Network,Outside) tcp interface 60001 192.168.0.185 3389 netmask 255.255.255.255

*****

*****

static (Main_Network,Inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 norandomseq nailed

access-group outside in interface Outside

access-group Main_Network_access_in in interface Main_Network

route Outside 10.0.3.0 255.255.255.0 SOHO_ADSL 1

route Outside 192.168.0.0 255.255.255.0 SOHO_ADSL 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 200.200.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp Inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs

crypto map Outside_map 1 set peer *****

crypto map Outside_map 1 set transform-set ESP-3DES-MD5

crypto map Outside_map interface Outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

*****

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

!

hostname ciscoasa

domain-name *****

enable password ***** encrypted

passwd ***** encrypted

names

*****

*****

*****

*****

!

interface Ethernet0/0

description Internode SOHO

nameif Outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

description *****

nameif Inside

security-level 100

ip address 192.168.43.1 255.255.255.0

!

interface Ethernet0/2

description *****

nameif Main_Network

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/3

description *****

nameif DMZ

security-level 100

ip address  *****

!

interface Management0/0

nameif management

security-level 100

ip address  *****

management-only

!

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server  *****

name-server  *****

domain-name  *****

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object udp

protocol-object tcp

access-list Outside_1_cryptomap extended permit ip 192.168.43.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list Inside_nat0_outbound extended permit ip 192.168.43.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list Inside_access_in extended permit ip 10.0.0.0 255.0.0.0 192.168.43.0 255.255.255.0

access-list Inside_access_in extended permit ip 192.168.43.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list outside extended permit ip any 192.168.0.0 255.255.255.0

access-list outside extended permit ip any any

access-list Main_Network_access_in extended permit ip 192.168.0.0 255.255.255.0 any

access-list Main_Network_access_in extended permit ip any 192.168.0.0 255.255.255.0

access-list Main_Network_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.43.0 255.255.255.0

access-list Main_Network_access_in extended permit ip 192.168.43.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list Main_Network_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 any

access-list FTPinDMZ extended permit ip *****

access-list FTPinDMZ extended permit ip any *****

access-list Internal_Traversal extended permit ip 192.168.0.0 255.255.255.0 192.168.43.0 255.255.255.0

access-list Internal_Traversal extended permit ip 192.168.43.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging buffered errors

logging asdm errors

logging flash-bufferwrap

mtu Outside 1492

mtu Inside 1500

mtu Main_Network 1500

mtu management 1500

mtu DMZ 1500

failover timeout -1

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Inside) 0 access-list Internal_Traversal

nat (Inside) 0 0.0.0.0 0.0.0.0

nat (Main_Network) 1 access-list Main_Network_nat0_outbound

nat (Main_Network) 1 192.168.0.0 255.255.255.0

nat (DMZ) 1 ****

static (Main_Network,Outside) tcp interface www Mail02 www netmask 255.255.255.255

static (Main_Network,Outside) tcp interface smtp Mail02 smtp netmask 255.255.255.255

static (Main_Network,Outside) tcp interface ssh Mail02 ssh netmask 255.255.255.255

static (Main_Network,Outside) tcp interface 993 Mail02 993 netmask 255.255.255.255

static (Main_Network,Outside) tcp interface 995 Mail02 995 netmask 255.255.255.255

static (Main_Network,Outside) tcp interface https Mail02 https netmask 255.255.255.255

static (Main_Network,Outside) udp interface 60001 192.168.0.185 3389 netmask 255.255.255.255

static (Main_Network,Outside) tcp interface 60001 192.168.0.185 3389 netmask 255.255.255.255

*****

*****

static (Main_Network,Inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 norandomseq nailed

access-group outside in interface Outside

access-group Main_Network_access_in in interface Main_Network

route Outside 10.0.3.0 255.255.255.0 SOHO_ADSL 1

route Outside 192.168.0.0 255.255.255.0 SOHO_ADSL 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 200.200.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp Inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs

crypto map Outside_map 1 set peer 159.153.222.18

crypto map Outside_map 1 set transform-set ESP-3DES-MD5

crypto map Outside_map interface Outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

*****

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

*****

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 130

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 10800

telnet timeout 5

ssh 192.168.43.0 255.255.255.0 Inside

ssh 192.168.0.0 255.255.255.0 Main_Network

ssh timeout 5

console timeout 0

management-access Main_Network

vpdn username  ***** password  ***** store-local

dhcp-client client-id interface Outside

dhcpd address 200.200.1.2-200.200.1.200 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username  ***** password  ***** encrypted

username  ***** password  ***** encrypted

tunnel-group  ***** type ipsec-l2l  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous


tunnel-group  ***** ipsec-attributes

pre-shared-key *

tunnel-group  ***** type ipsec-l2l

tunnel-group  ***** ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous


  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

*****

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 130

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 10800

telnet timeout 5

ssh 192.168.43.0 255.255.255.0 Inside

ssh 192.168.0.0 255.255.255.0 Main_Network

ssh timeout 5

console timeout 0

management-access Main_Network

vpdn username  ***** password  ***** store-local

dhcp-client client-id interface Outside

dhcpd address 200.200.1.2-200.200.1.200 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username  ***** password  ***** encrypted

username  ***** password  ***** encrypted

tunnel-group  ***** type ipsec-l2l  message-length maximum 512




Upgrading the firmware is not really an option

Hoping someone can help. Perhaps its just something right in front of me that Im missing.


Thanks in advance for any help

Correct Answer by Jouni Forss about 5 years 3 months ago

Hi,


Try adding same-security permit inter-interface. (you have the other one configured that allows traffic to enter and leave on the same interface) This should permit traffic between 2 interfaces of equal security-level


Also you should configure an access-list for the inside interface.


Try the connections after that.


You also seem to lack basic PAT configuration for Inside interface for internet traffic. (As you only have ID 0 NAT statements configured)


For ICMP between the 2 networks please add


policy-map global_policy

class inspection_default

  inspect icmp



- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jouni Forss Tue, 04/24/2012 - 00:48
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Try adding same-security permit inter-interface. (you have the other one configured that allows traffic to enter and leave on the same interface) This should permit traffic between 2 interfaces of equal security-level


Also you should configure an access-list for the inside interface.


Try the connections after that.


You also seem to lack basic PAT configuration for Inside interface for internet traffic. (As you only have ID 0 NAT statements configured)


For ICMP between the 2 networks please add


policy-map global_policy

class inspection_default

  inspect icmp



- Jouni

VampiressX Tue, 04/24/2012 - 02:56
User Badges:

OMG thankyou so much Jouni! Awesome. I just cant believe I missed that one. So you are actually required to have both statements... inter and intra.


I also noticed that ive double posted the config. God the things you do. Anywho, my very special thanks to you and you have saved me many days of heartache with that. Cheers m8!

Jouni Forss Tue, 04/24/2012 - 23:16
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Glad that it works now


To my understanding the command with the "intra" parameter is for situations where the traffic is entering and leaving the same interface. One of the most common situations where I need this command is when a customer has a Client VPN configured and the VPN Client user needs to use Internet through the VPN Client (Outside to Outside interface traffic)


The "inter" parameter refers to situations where you need to pass traffic between 2 firewall interfaces which are configured with the same "security-level" value (As you did in this case).


- Jouni

Actions

This Discussion

Related Content