Inter interface communications not working on asa 5510 v 8.2.2

Answered Question
Aug 21st, 2012

Howdy,

ASA / Cisco Novice here:

I have an ASA 5510 attached to 2 internal networks.  Everything is working except communications between the 2 internal interfaces.

I can ping the FW from either interface and I can ping hosts on both networks from the CLI but can't get any traffic to pass.

I'd like to open the connection to all traffic.

A picture being worth a thousand words, below is the physical network and a cleaned config (Note that I have highlighted the commands that I think should make this work).

Can anyone see what I'm missing?

Regards,

Geoffrey

BF asa highline com problem small.jpg

hostname CiscoASA

domain-name domain.org

enable password c7Ik4QWNoVuUmbYX encrypted

passwd c7Ik4QWNoVuUmbYX encrypted

names

name x.x.x.x Server2-Outside

name x.x.x.x Konica-Outside

name x.x.x.x Sharepoint-Outside

name 192.168.100.15 Konica-Inside

name 192.168.100.2 Server2-Inside

name 192.168.100.5 Sharepoint-Inside

name 192.168.1.0 Highline-inside

!

interface Ethernet0/0

speed 100

duplex full

nameif Outside

security-level 0

pppoe client vpdn group xxx

ip address x.x.x.x 255.255.255.255 pppoe setroute

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Ethernet0/2

nameif Highline

security-level 100

ip address 192.168.1.3 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.11.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name domain.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP tcp

port-object eq 3389

object-group service Sharepoint-SSL tcp

port-object eq 444

object-group service Zone3-17365 tcp

port-object eq 17365

object-group service Konica-printing tcp

port-object eq 9100

access-list Outside_access_in extended permit tcp any host Server2-Outside eq 3389

access-list Outside_access_in extended permit tcp any host Server2-Outside eq smtp

access-list Outside_access_in extended permit tcp any host Server2-Outside eq ftp

access-list Outside_access_in extended permit tcp any host Server2-Outside eq www

access-list Outside_access_in extended permit tcp any host Server2-Outside eq https

access-list Outside_access_in extended permit tcp any host Server2-Outside eq pptp

access-list Outside_access_in extended permit gre any host Server2-Outside

access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq www

access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq https

access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Zone3-17365

access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Sharepoint-SSL

access-list Outside_access_in extended permit tcp any host Konica-Outside object-group Konica-printing

access-list dispatch_nat0 extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0

access-list dispatch_cryptomap extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0

access-list Inside_nat_outbound extended permit ip 192.168.100.0 255.255.255.0 172.29.12.0 255.255.255.0

access-list Inside_nat_static extended permit ip host Server2-Inside any

access-list Inside_nat_static_1 extended permit ip host Server2-Inside host 172.29.12.5

access-list Inside_nat_static_2 extended permit ip host 192.168.100.12 host 172.29.12.1

access-list Highline_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu Highline 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (Outside) 2 10.99.12.10-10.99.12.254 netmask 255.255.255.0

global (Outside) 1 interface

global (Outside) 3 Server2-Outside netmask 255.255.255.255

nat (Inside) 2 access-list Inside_nat_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (Highline) 1 0.0.0.0 0.0.0.0

static (Inside,Outside) Sharepoint-Outside Sharepoint-Inside netmask 255.255.255.255

static (Inside,Outside) Konica-Outside Konica-Inside netmask 255.255.255.255

static (Inside,Outside) 10.99.12.5 access-list Inside_nat_static_1

static (Inside,Outside) Server2-Outside access-list Inside_nat_static

static (Inside,Outside) 10.99.12.1 access-list Inside_nat_static_2

static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0

access-group Outside_access_in in interface Outside

access-group Highline_access_in in interface Highline

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.100.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TEST esp-aes-256 esp-sha-hmac

crypto ipsec transform-set dispatch esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map dispatch_map 1 match address dispatch_nat0

crypto map dispatch _map 1 set pfs group5

crypto map dispatch _map 1 set peer 146.129.253.3

crypto map dispatch _map 1 set transform-set dispatch

crypto map dispatch _map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

telnet 192.168.100.0 255.255.255.0 Inside

telnet 192.168.11.0 255.255.255.0 management

telnet timeout 30

ssh timeout 5

console timeout 0

vpdn group blah request dialout pppoe

vpdn group blah localname blah

vpdn group blah ppp authentication pap

vpdn username blahblahblah password ***** store-local

dhcpd address 192.168.11.2-192.168.11.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password ra.2Iw6nrBEaHn0M encrypted

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:36468a70e58b3026ab250dfba96c4ba9

: end

I have this problem too.
0 votes
Correct Answer by Ramraj.Sivagnanam about 1 year 7 months ago

Hi Bro

Can you add these commands and this should work.

!

access-list Inside-to-Highline permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Highline-to-Inside permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

!

nat (Inside) 0 access-list Inside-to-Highline

nat (Highline) 0 access-list Highline-to-Inside

!

clear xlate

!

!!!!!!!!!!!!!!!!!!!! This is not important to remove but just do it for now. Later you could add them back. !!!!!!!!!!!!!!!!!!!!!!

no threat-detection basic-threat                                         

no threat-detection statistics access-list

!

Basically, when Inside wants to communicate with Highline or vice-versa, you’ll need to enable “NAT Exemption” i.e. nat (nameif) 0 . I know you have already enabled the same-security permit inter-interface command, but this command becomes useless once you’ve enable dynamic nat on one of those interfaces. It’s as if the same-security traffic command wasn't even entered in the first place. Hence, the Cisco ASA is behaving as expected as per Cisco's documentation. For further details on this, you could refer to the URLs below;

https://supportforums.cisco.com/thread/223898

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530

P/S: If you think this comment is useful, please do rate it nicely :-) and click on the "Correct Answer" button

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.2 (6 ratings)
siddhartham Tue, 08/21/2012 - 14:22

Can you do a packet trace from 192.168.1.100 to 192.168.100.100 and check on which step the ASA is dropping the packets.

Since you don't have nat control enabled, I don't think you will need the below statemetns

static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0

Siddhartha

gbarker@andseat... Tue, 08/21/2012 - 14:42

Hello Siddhartha,

Thanks for the reply.  I appreciate it.

Though I'm not sure how to understand it, here is that output:

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.100.0   255.255.255.0   Inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: DROP
Config:
nat (Inside) 1 0.0.0.0 0.0.0.0
  match ip Inside any Inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 2, untranslate_hits = 0
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

What's it tell you?

G

siddhartham Tue, 08/21/2012 - 15:37

you did a trace from 192.168.1.X to 192.168.100.X, is that right? according to your config the packet should match the below statement

static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0

not sure why it matches against nat (Inside) 1 0.0.0.0 0.0.0.0

Just to make sure can you try the below command and paste the output

packet-tracer input Highline tcp 192.168.1.100 80 192.168.100.1 80 detailed

Siddhartha

gbarker@andseat... Tue, 08/21/2012 - 15:43

I initally posted a response where I did not get the source and destination right.  I deleted that post though.  On the other hand, I may have run my trace from the inside interface... 

In any case, here's the results of the cut and paste you requested:

ASA# packet-tracer input Highline tcp 192.168.1.100 80 192.168.100.1 80 $

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac8ea680, priority=1, domain=permit, deny=false
        hits=3, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  match ip Inside 192.168.100.0 255.255.255.0 Highline any
    static translation to 192.168.100.0
    translate_hits = 4, untranslate_hits = 1
Additional Information:
NAT divert to egress interface Inside
Untranslate 192.168.100.0/0 to 192.168.100.0/0 using netmask 255.255.255.0

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Highline_access_in in interface Highline
access-list Highline_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac97bad8, priority=12, domain=permit, deny=false
        hits=3, user_data=0xa8a9eb40, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac8ecdb8, priority=0, domain=inspect-ip-options, deny=true
        hits=5, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0
  match ip Highline Highline-inside 255.255.255.0 Inside any
    static translation to Highline-inside
    translate_hits = 1, untranslate_hits = 6
Additional Information:
Static translate Highline-inside/0 to Highline-inside/0 using netmask 255.255.25
5.0
Forward Flow based lookup yields rule:
in  id=0xac9769a8, priority=5, domain=nat, deny=false
        hits=1, user_data=0xac8fd7a0, cs_id=0x0, flags=0x0, protocol=0
        src ip=Highline-inside, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0
  match ip Highline Highline-inside 255.255.255.0 Inside any
    static translation to Highline-inside
    translate_hits = 1, untranslate_hits = 6
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac976d00, priority=5, domain=host, deny=false
        hits=10, user_data=0xac8fd7a0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=Highline-inside, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  match ip Inside 192.168.100.0 255.255.255.0 Highline any
    static translation to 192.168.100.0
    translate_hits = 4, untranslate_hits = 1
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac975ed8, priority=5, domain=nat-reverse, deny=false
        hits=1, user_data=0xac975480, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.100.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 9
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xac8a77d8, priority=500, domain=permit, deny=true
        hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.100.1, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Highline
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Julio Carvaja Tue, 08/21/2012 - 16:28

Hello Geoffrey,

Access-list denied hmm, have you make any changes to the config since you created this ticket?

If yes, please post it back

The ACL should not be dropping this packets.

Regards,

gbarker@andseat... Tue, 08/21/2012 - 16:53

Hi,

Strange right?

I just did a careful line by line comparison of the current config and the one I sent.  Apart from enabling Telnet on the Highline interface, they are identical.  I also just ran another packet trace and got the same results.

Thanks for any thoughts on this weird problem.

Geoffrey

gbarker@andseat... Tue, 08/21/2012 - 17:00

Hello again,

...  Just so you don't have to take my word for it: here's a freshly run SH Conf (cleaned of id info) followed by Packet Trace output:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2)
!
hostname ASA
domain-name domain.org
enable password c7Ik4QWNoVuUmbYX encrypted
passwd c7Ik4QWNoVuUmbYX encrypted
names
name xxxx Server2-Outside
name xxxx Konica-Outside
name xxxx Sharepoint-Outside
name 192.168.100.15 Konica-Inside
name 192.168.100.2 Server2-Inside
name 192.168.100.5 Sharepoint-Inside
name 192.168.1.0 Highline-inside
!
interface Ethernet0/0
speed 100
duplex full
nameif Outside
security-level 0
pppoe client vpdn group blah
ip address xxxx 255.255.255.255 pppoe setroute
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
nameif Highline
security-level 100
ip address 192.168.1.3 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.11.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name domain.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group service Sharepoint-SSL tcp
port-object eq 444
object-group service Zone3-17365 tcp
port-object eq 17365
object-group service Konica-printing tcp
port-object eq 9100
access-list Outside_access_in extended permit tcp any host Server2-Outside eq 3389
access-list Outside_access_in extended permit tcp any host Server2-Outside eq smtp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq ftp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq www
access-list Outside_access_in extended permit tcp any host Server2-Outside eq https
access-list Outside_access_in extended permit tcp any host Server2-Outside eq pptp
access-list Outside_access_in extended permit gre any host Server2-Outside
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq www
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq https
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Zone3-17365
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Sharepoint-SSL
access-list Outside_access_in extended permit tcp any host Konica-Outside object-group Konica-printing
access-list valley_nat0 extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list valley_cryptomap extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_outbound extended permit ip 192.168.100.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_static extended permit ip host Server2-Inside any
access-list Inside_nat_static_1 extended permit ip host Server2-Inside host 172.29.12.5
access-list Inside_nat_static_2 extended permit ip host 192.168.100.12 host 172.29.12.1
access-list Highline_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Highline 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 2 10.99.12.10-10.99.12.254 netmask 255.255.255.0
global (Outside) 1 interface
global (Outside) 3 Server2-Outside netmask 255.255.255.255
nat (Inside) 2 access-list Inside_nat_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Highline) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) Sharepoint-Outside Sharepoint-Inside netmask 255.255.255.255
static (Inside,Outside) Konica-Outside Konica-Inside netmask 255.255.255.255
static (Inside,Outside) 10.99.12.5  access-list Inside_nat_static_1
static (Inside,Outside) Server2-Outside  access-list Inside_nat_static
static (Inside,Outside) 10.99.12.1  access-list Inside_nat_static_2
static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Highline_access_in in interface Highline
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TEST esp-aes-256 esp-sha-hmac
crypto ipsec transform-set VALLEY esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map valley_map 1 match address valley_nat0
crypto map valley_map 1 set pfs group5
crypto map valley_map 1 set peer 146.129.253.3
crypto map valley_map 1 set transform-set VALLEY
crypto map valley_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.100.0 255.255.255.0 Inside
telnet Highline-inside 255.255.255.0 Highline
telnet 192.168.11.0 255.255.255.0 management
telnet timeout 30
ssh timeout 5
console timeout 0
vpdn group blah request dialout pppoe
vpdn group blah localname fidistrnobusine@qwest.net
vpdn group blah ppp authentication pap
vpdn username Username password ***** store-local
dhcpd address 192.168.11.2-192.168.11.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ra.2Iw6nrBEaHn0M encrypted
tunnel-group 146.129.253.3 type ipsec-l2l
tunnel-group 146.129.253.3 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25e177563bdc640b69a74af02f2c0c26
: end

Packet Trace Output:

Result of the command: "packet-tracer input Highline tcp 192.168.1.100 80 192.168.100.1 80 detailed"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac8ea680, priority=1, domain=permit, deny=false
hits=11, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  match ip Inside 192.168.100.0 255.255.255.0 Highline any
    static translation to 192.168.100.0
    translate_hits = 14, untranslate_hits = 9
Additional Information:
NAT divert to egress interface Inside
Untranslate 192.168.100.0/0 to 192.168.100.0/0 using netmask 255.255.255.0

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Highline_access_in in interface Highline
access-list Highline_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xad1a4e58, priority=12, domain=permit, deny=false
hits=6, user_data=0xa8a9ebc0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac8ecdb8, priority=0, domain=inspect-ip-options, deny=true
hits=19, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0
  match ip Highline Highline-inside 255.255.255.0 Inside any
    static translation to Highline-inside
    translate_hits = 8, untranslate_hits = 17
Additional Information:
Static translate Highline-inside/0 to Highline-inside/0 using netmask 255.255.255.0
Forward Flow based lookup yields rule:
in  id=0xac9769a8, priority=5, domain=nat, deny=false
hits=8, user_data=0xac8fd7a0, cs_id=0x0, flags=0x0, protocol=0
src ip=Highline-inside, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0
  match ip Highline Highline-inside 255.255.255.0 Inside any
    static translation to Highline-inside
    translate_hits = 8, untranslate_hits = 17
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac976d00, priority=5, domain=host, deny=false
hits=40, user_data=0xac8fd7a0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=Highline-inside, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  match ip Inside 192.168.100.0 255.255.255.0 Highline any
    static translation to 192.168.100.0
    translate_hits = 14, untranslate_hits = 9
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac975ed8, priority=5, domain=nat-reverse, deny=false
hits=8, user_data=0xac975480, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=192.168.100.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 9
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xac8a77d8, priority=500, domain=permit, deny=true
hits=9, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.100.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Highline
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Strange no?

Thanks again for any help.

Geoffrey

Julio Carvaja Tue, 08/21/2012 - 17:16

Hello ,

As a test please remove the following command as its not need it

no access-group Highline_access_in in interface Highline

That should not make a difference but I would like to have a clear configuration

Run the following packet-tracer:

packet-tracer input inside tcp 192.168.100.20 1025 192.168.1.20 80

gbarker@andseat... Tue, 08/21/2012 - 17:28

Interesting... For an unneeded access-group, removing it sure had an affect on Packet Tracer output.

After removing that line - current Packet Tracer Output below.  Oddly, though the traffic is no longer blocked, I still can't RDP (for example) through the FW.

ASA(config)#       packet-tracer input Inside tcp 192.168.100.20 1065 192.168.1.20 80

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0
  match ip Highline Highline-inside 255.255.255.0 Inside any
    static translation to Highline-inside
    translate_hits = 8, untranslate_hits = 19
Additional Information:
NAT divert to egress interface Highline
Untranslate Highline-inside/0 to Highline-inside/0 using netmask 255.255.255.0

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  match ip Inside 192.168.100.0 255.255.255.0 Highline any
    static translation to 192.168.100.0
    translate_hits = 16, untranslate_hits = 9
Additional Information:
Static translate 192.168.100.0/0 to 192.168.100.0/0 using netmask 255.255.255.0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  match ip Inside 192.168.100.0 255.255.255.0 Highline any
    static translation to 192.168.100.0
    translate_hits = 16, untranslate_hits = 9
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0
  match ip Highline Highline-inside 255.255.255.0 Inside any
    static translation to Highline-inside
    translate_hits = 8, untranslate_hits = 19
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0
  match ip Highline Highline-inside 255.255.255.0 Inside any
    static translation to Highline-inside
    translate_hits = 8, untranslate_hits = 19
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 15104, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Highline
output-status: up
output-line-status: up
Action: allow

Julio Carvaja Tue, 08/21/2012 - 17:32

Hello Geoff,

I am doing the packet tracer from the inside, the one you did before was this one:

packet-tracer input Highline tcp 192.168.1.100 1025 192.168.100.1 80

Can you do it and if by any chance it says allow our next step would be the captures,

Regards,

Julio

gbarker@andseat... Tue, 08/21/2012 - 17:37

Here's the Highline version as requested.  Not sure I understand the "next step would be the captures".  I hope you'll be able to give some guidance on that...  Thanks again for the help.

Result of the command: "packet-tracer input Highline tcp 192.168.1.100 1025 192.168.100.1 80"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  match ip Inside 192.168.100.0 255.255.255.0 Highline any
    static translation to 192.168.100.0
    translate_hits = 19, untranslate_hits = 11
Additional Information:
NAT divert to egress interface Inside
Untranslate 192.168.100.0/0 to 192.168.100.0/0 using netmask 255.255.255.0

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0
  match ip Highline Highline-inside 255.255.255.0 Inside any
    static translation to Highline-inside
    translate_hits = 10, untranslate_hits = 22
Additional Information:
Static translate Highline-inside/0 to Highline-inside/0 using netmask 255.255.255.0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0
  match ip Highline Highline-inside 255.255.255.0 Inside any
    static translation to Highline-inside
    translate_hits = 10, untranslate_hits = 22
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  match ip Inside 192.168.100.0 255.255.255.0 Highline any
    static translation to 192.168.100.0
    translate_hits = 19, untranslate_hits = 11
Additional Information:

Phase: 9
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Highline
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Julio Carvaja Tue, 08/21/2012 - 17:41

OH GOD!!!

Well that happens because of not using your own stuff

I was ussing the packet tracer that Sid provide us "packet-tracer input Highline tcp 192.168.1.100 80 192.168.100.1 80 detailed"

This packet tracer is pointing to the Ip address of the inside interface and ofcourse its not going to work!

Traffic to a distant interface is never allowed on the ASA no matter what.

Hmmm well I need to know the ip address of the RDP computers you are using ( both client and server)

Regards,

Julio

Rate all the helpful posts!

gbarker@andseat... Tue, 08/21/2012 - 17:51

Oops.  Been there.

I'm trying to (amoung other things) RDP from 192.168.1.254 to 192.168.100.2 and vice versa.

Just in case, it might be worth saying again that I can ping both of these hosts from the CLI on the firewall.

Julio Carvaja Tue, 08/21/2012 - 17:56

Hello Geoffrey,

capture capin interface inside match Tcp host 192.168.100.2 host 192.168.1.254 eq 3389

capture capout interface Highline match tcp host  192.168.100.2 host 192.168.1.254 eq 3389

cap asp type asp-drop all circular-buffer

Then try to go from  192.168.100.2 to  192.168.1.254 RDP

Afterwards post the output of the following:

sh cap capin

sh cap capout

sh cap asp | include 192.168.1.254

Regards,

gbarker@andseat... Tue, 08/21/2012 - 18:05

Here you go:

Result of the command: "sh cap capin"

3 packets captured

   1: 09:52:10.805881 192.168.100.2.26421 > 192.168.1.254.3389: S 1302960143:1302960143(0) win 65535
   2: 09:52:13.754523 192.168.100.2.26421 > 192.168.1.254.3389: S 1302960143:1302960143(0) win 65535
   3: 09:52:19.790349 192.168.100.2.26421 > 192.168.1.254.3389: S 1302960143:1302960143(0) win 65535
3 packets shown

Result of the command: "sh cap capout"

3 packets captured

   1: 09:52:10.806064 192.168.100.2.26421 > 192.168.1.254.3389: S 3305133695:3305133695(0) win 65535
   2: 09:52:13.754553 192.168.100.2.26421 > 192.168.1.254.3389: S 3305133695:3305133695(0) win 65535
   3: 09:52:19.790379 192.168.100.2.26421 > 192.168.1.254.3389: S 3305133695:3305133695(0) win 65535
3 packets shown

Result of the command: "sh cap asp | include 192.168.1.254"

257: 09:56:26.689615 192.168.1.254.138 > 192.168.1.255.138:  udp 201

Julio Carvaja Tue, 08/21/2012 - 20:15

Hello Geoffrey,

Doest not look like an ASA problem to be honest with you

On both interfaces we can se the same amount of packets...

As you know each tcp session gets established by following a three way handshake. In this session we only see a SYN packet comming from the client to the RDP server that let us know 2 things:

1- The packet is getting lost or dropped on the way from the ASA to the server

2- The server is not allowing that traffic ( Please tell me you have the wonderful Windows Firewall disabled )

If the windows firewall is disabled please go ahead to the server and download and install wireshark this will let us know what is happening and as you know wireshark does not lie   so if the packets are reaching the server and he is replying back we will see it.

Rate all the helpful posts

Julio

gbarker@andseat... Tue, 08/21/2012 - 21:36

Well, the ASA is not off the hook yet (and I so wanted it to be).

.

Wireshark sees no TPKT traffic when I attempt to RDP from 192.168.100.2 to 192.168.1.254.

It does however see tons of packets when I successfully RDP from 192.168.1.101 to 192.168.1.254

Windows Firewall is indeed disabled.

The only equipment between 192.168.1.254 and the firewall is a managed Netgear switch. I looked at it's configuration and found that it has a single default VLAN that is active on all ports so I assume the packets are not being lost there. 

Also will say again that I CAN ping from the CLI on the FW to 192.168.1.254.  Weird one isn't it?

Thoughts?



Julio Carvaja Tue, 08/21/2012 - 22:09

My questions are the following

1- Do you see a syn packet getting to the Server?

2- Do you see a Syn ACK packet comming from the server

Ramraj.Sivagnanam Tue, 08/21/2012 - 21:43

Hi Bro

Can you ensure you do the following and let use know what's the outcome

access-list Inside permit ip any any
access-group Inside in interface Inside


no global (Outside) 3 Server2-Outside netmask 255.255.255.255

no static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
no static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0

Note: Those workstations in Inside and Highline can access the Internet, am I right?

gbarker@andseat... Tue, 08/21/2012 - 22:02

Hey Will,

Nice avatar...

I did all of that but no change.

You are correct.  Workstations on both subnets can access the internet through this ASA.

gbarker@andseat... Tue, 08/21/2012 - 22:13

Here it is.  Fresh off the device (cleaned of ID info):

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2)
!
hostname ASA
domain-name domain.org
enable password c7Ik4QWNoVuUmbYX encrypted
passwd c7Ik4QWNoVuUmbYX encrypted
names
name xxxx Server2-Outside
name xxxx Konica-Outside
name xxxx Sharepoint-Outside
name 192.168.100.15 Konica-Inside
name 192.168.100.2 Server2-Inside
name 192.168.100.5 Sharepoint-Inside
name 192.168.1.0 Highline-inside
!
interface Ethernet0/0
speed 100
duplex full
nameif Outside
security-level 0
pppoe client vpdn group blah ip address xxxx 255.255.255.255 pppoe setroute
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
nameif Highline
security-level 100
ip address 192.168.1.3 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.11.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name domain.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group service Sharepoint-SSL tcp
port-object eq 444
object-group service Zone3-17365 tcp
port-object eq 17365
object-group service Konica-printing tcp
port-object eq 9100
access-list Outside_access_in extended permit tcp any host Server2-Outside eq 3389
access-list Outside_access_in extended permit tcp any host Server2-Outside eq smtp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq ftp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq www
access-list Outside_access_in extended permit tcp any host Server2-Outside eq https
access-list Outside_access_in extended permit tcp any host Server2-Outside eq pptp
access-list Outside_access_in extended permit gre any host Server2-Outside
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq www
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq https
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Zone3-17365
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Sharepoint-SSL
access-list Outside_access_in extended permit tcp any host Konica-Outside object-group Konica-printing
access-list valley_nat0 extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list valley_cryptomap extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_outbound extended permit ip 192.168.100.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_static extended permit ip host Server2-Inside any
access-list Inside_nat_static_1 extended permit ip host Server2-Inside host 172.29.12.5
access-list Inside_nat_static_2 extended permit ip host 192.168.100.12 host 172.29.12.1
access-list Highline_access_in extended permit ip any any
access-list Inside extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Highline 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 2 10.99.12.10-10.99.12.254 netmask 255.255.255.0
global (Outside) 1 interface
nat (Inside) 2 access-list Inside_nat_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Highline) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) Sharepoint-Outside Sharepoint-Inside netmask 255.255.255.255
static (Inside,Outside) Konica-Outside Konica-Inside netmask 255.255.255.255
static (Inside,Outside) 10.99.12.5  access-list Inside_nat_static_1
static (Inside,Outside) Server2-Outside  access-list Inside_nat_static
static (Inside,Outside) 10.99.12.1  access-list Inside_nat_static_2
access-group Outside_access_in in interface Outside
access-group Inside in interface Inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TEST esp-aes-256 esp-sha-hmac
crypto ipsec transform-set VALLEY esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map valley_map 1 match address valley_nat0
crypto map valley_map 1 set pfs group5
crypto map valley_map 1 set peer 146.129.253.3
crypto map valley_map 1 set transform-set VALLEY
crypto map valley_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.100.0 255.255.255.0 Inside
telnet Highline-inside 255.255.255.0 Highline
telnet 192.168.11.0 255.255.255.0 management
telnet timeout 30
ssh timeout 5
console timeout 0
vpdn group blah request dialout pppoe
vpdn group blaht localname userID vpdn group blah ppp authentication pap
vpdn username userID password ***** store-local
dhcpd address 192.168.11.2-192.168.11.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ra.2Iw6nrBEaHn0M encrypted
tunnel-group 146.129.253.3 type ipsec-l2l
tunnel-group 146.129.253.3 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00b59ad338b05a319e3a9d890b7d6fbc
: end

Julio Carvaja Tue, 08/21/2012 - 23:01

Did not answer the wireshark questions I think I know  what that means!! Just remember related to connection problems wireshark is your best friend, he does not lie

gbarker@andseat... Tue, 08/21/2012 - 23:41

Sorry Julio,  I completely missed that post.

I just re-ran a capture and could see no traffic from or to 192.168.100.2.  None at all.

Of course, I don't use Wireshark very often and I'm not sure how to filter on Syn or Syn Ack.  What I did was sort the source and destination columns and looked for traffic from 192.168.100.2 and came up with nothing.  Is there a better way to filter to get your answer?

Thanks,

Correct Answer
Ramraj.Sivagnanam Wed, 08/22/2012 - 01:39

Hi Bro

Can you add these commands and this should work.

!

access-list Inside-to-Highline permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Highline-to-Inside permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

!

nat (Inside) 0 access-list Inside-to-Highline

nat (Highline) 0 access-list Highline-to-Inside

!

clear xlate

!

!!!!!!!!!!!!!!!!!!!! This is not important to remove but just do it for now. Later you could add them back. !!!!!!!!!!!!!!!!!!!!!!

no threat-detection basic-threat                                         

no threat-detection statistics access-list

!

Basically, when Inside wants to communicate with Highline or vice-versa, you’ll need to enable “NAT Exemption” i.e. nat (nameif) 0 . I know you have already enabled the same-security permit inter-interface command, but this command becomes useless once you’ve enable dynamic nat on one of those interfaces. It’s as if the same-security traffic command wasn't even entered in the first place. Hence, the Cisco ASA is behaving as expected as per Cisco's documentation. For further details on this, you could refer to the URLs below;

https://supportforums.cisco.com/thread/223898

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530

P/S: If you think this comment is useful, please do rate it nicely :-) and click on the "Correct Answer" button

gbarker@andseat... Wed, 08/22/2012 - 08:55


Thanks so much for your help on this Ramraj.  This did work for me.

I wish I could rate some of Julio's posts as they were helpful in terms of confirming where exactly the problem lay.

You guys are both very helpful.

Cheers,

Geoffrey

Julio Carvaja Wed, 08/22/2012 - 09:31

Hello Geoffrey,

I dont know what you mean by this  as its possible to rate as many answers on a post as you like.

"I wish I could rate some of Julio's posts as they were helpful in terms of confirming where exactly the problem lay"

Now regarding the solution that my friend Ramraj provided you the Static Identity NAT should also works as it has a better priority than the regular Dynamic nat, so both of those options ( Nat exepmtion or Identity NAT) should work wheter you have 2 interfaces with the same security traffic or not.

Regards,

Julio

gbarker@andseat... Wed, 08/22/2012 - 09:48

Sorry again Julio,

It was an interface thing (I don't post on the forums often).

I was trying to select stars at the top of the post...  Oops.

I really appreciated your help on this..

Ramraj.Sivagnanam Tue, 08/21/2012 - 23:17

Hi Bro

You've accidentally deleted this command shown below. Please paste the command shown below back into the FW and furnish us with the FW latest show running-config.

access-group Highline_access_in in interface Highline

gbarker@andseat... Tue, 08/21/2012 - 23:27

Hi Ramraj,

That got taken out in an earler step.

I've added it back now but traffic is still not getting through.

Here's the current SH RUN:

hostname ASA
domain-name domain.org
enable password c7Ik4QWNoVuUmbYX encrypted
passwd c7Ik4QWNoVuUmbYX encrypted
names
name xxxx Server2-Outside
name xxxx Konica-Outside
name xxxx Sharepoint-Outside
name 192.168.100.15 Konica-Inside
name 192.168.100.2 Server2-Inside
name 192.168.100.5 Sharepoint-Inside
name 192.168.1.0 Highline-inside
!
interface Ethernet0/0
speed 100
duplex full
nameif Outside
security-level 0
pppoe client vpdn group blah

ip address xxxx 255.255.255.255 pppoe setroute
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
nameif Highline
security-level 100
ip address 192.168.1.3 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.11.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name domain.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group service Sharepoint-SSL tcp
port-object eq 444
object-group service Zone3-17365 tcp
port-object eq 17365
object-group service Konica-printing tcp
port-object eq 9100
access-list Outside_access_in extended permit tcp any host Server2-Outside eq 3389
access-list Outside_access_in extended permit tcp any host Server2-Outside eq smtp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq ftp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq www
access-list Outside_access_in extended permit tcp any host Server2-Outside eq https
access-list Outside_access_in extended permit tcp any host Server2-Outside eq pptp
access-list Outside_access_in extended permit gre any host Server2-Outside
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq www
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq https
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Zone3-17365
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Sharepoint-SSL
access-list Outside_access_in extended permit tcp any host Konica-Outside object-group Konica-printing
access-list valley_nat0 extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list valley_cryptomap extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_outbound extended permit ip 192.168.100.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_static extended permit ip host Server2-Inside any
access-list Inside_nat_static_1 extended permit ip host Server2-Inside host 172.29.12.5
access-list Inside_nat_static_2 extended permit ip host 192.168.100.12 host 172.29.12.1
access-list Highline_access_in extended permit ip any any
access-list Inside extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Highline 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 2 10.99.12.10-10.99.12.254 netmask 255.255.255.0
global (Outside) 1 interface
nat (Inside) 2 access-list Inside_nat_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Highline) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) Sharepoint-Outside Sharepoint-Inside netmask 255.255.255.255
static (Inside,Outside) Konica-Outside Konica-Inside netmask 255.255.255.255
static (Inside,Outside) 10.99.12.5  access-list Inside_nat_static_1
static (Inside,Outside) Server2-Outside  access-list Inside_nat_static
static (Inside,Outside) 10.99.12.1  access-list Inside_nat_static_2
access-group Outside_access_in in interface Outside
access-group Inside in interface Inside
access-group Highline_access_in in interface Highline
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TEST esp-aes-256 esp-sha-hmac
crypto ipsec transform-set VALLEY esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map valley_map 1 match address valley_nat0
crypto map valley_map 1 set pfs group5
crypto map valley_map 1 set peer 146.129.253.3
crypto map valley_map 1 set transform-set VALLEY
crypto map valley_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.100.0 255.255.255.0 Inside
telnet Highline-inside 255.255.255.0 Highline
telnet 192.168.11.0 255.255.255.0 management
telnet timeout 30
ssh timeout 5
console timeout 0
vpdn group blah request dialout pppoe
vpdn group blah localname User
vpdn group blah ppp authentication pap
vpdn username User password ***** store-local
dhcpd address 192.168.11.2-192.168.11.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ra.2Iw6nrBEaHn0M encrypted
tunnel-group 146.129.253.3 type ipsec-l2l
tunnel-group 146.129.253.3 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d2c5109e3947001d109ad97115649955
: end

Actions

Login or Register to take actions

This Discussion

Posted August 21, 2012 at 10:29 AM
Stats:
Replies:33 Avg. Rating:4.16667
Views:1680 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446