ASA 5520 Allow all internal networks

Answered Question
Jul 15th, 2014
User Badges:

Hello everyone,

We have a Cisco ASA 5520 firewall with several interfaces configured for our internal networks, with the same Security-Level = 100 set for all, configured enable traffic between  two or more internal interface - still not working.

We have ASA version 9.0(3)

Not sure what's stopping this traffic or what's required to allow all internal networks to communicate together.

 

Thank you 

Correct Answer by Jouni Forss about 3 years 1 month ago

Hi,

 

If you want to use the ASA to control traffic between all the networks then you should not really configure any routing on the 3750. You should simply configure the amount of Vlans you need on the 3750.

 

At the moment it seems to me that you are using separate physical interface on the ASA for each of the Vlans ( I presume each ASA interface is connected to an Access port on the 3750 belonging to the specific Vlan). Typically though you would configure a Trunk interface between the ASA and 3750 so you dont have to spend all the physical interfaces on the ASA. You dont necesarily have to use only 1 Trunk interface. You can separate the Vlans to several Trunk interfaces. Then again you could also configure a Port-Channel between the 3750 and Trunk the Vlans to the ASA through that.

 

At this point I would imagine the simples way for you to go that doesnt require that many changes would be to configure every single host to use the ASA interface IP address (for the Vlan in question) as their gateway. You can also remove the IP address from most of the Vlan interfaces. If you need one for Management purposes then I guess you could leave the Vlan172 with an IP address so you can connect to the 3750 remotely if needed.

 

If you want to use DHCP then you can either use the ASA as DHCP server for each of the interfaces or you can setup some DHCP server on some Vlan and configure the ASA with DHCP Relay on the interfaces so they relay the DHCP traffic to a server behind another ASA interface.

 

- Jouni

 

 

 

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jouni Forss Tue, 07/15/2014 - 06:01
User Badges:
  • Super Bronze, 10000 points or more

Hi,

 

Can you share any configurations?

 

Are you sure you have the following command enabled? I think you are saying that you do but just want to make sure as there is 2 similiar commands

 

same-security-traffic permit inter-interface

 

If that is enabled then have you confirmed that there are no ACLs attached that could potentially block the traffic?

 

show run access-group

 

If no ACLs block the traffic from behind the internal interfaces of the ASA then have you made sure that the network devices connected to the ASA are configured correctly so that the traffic is actually forwarded to the ASA? Is there any other device besides the ASA that could block the connections that you are trying?

 

Have you configured the appropriate routing configurations for the source/destination networks or are they directly connected to the ASA? Have you checked the output of the following commands to confirm that the routes are there

 

show run route

 

show route

 

Have you tried the "packet-tracer" command to simulate the connections? For example

 

packet-tracer input <source interface> tcp <source ip> 12345 <destination ip> <destination port>

 

With regards to NAT and your current software levels you should not need any NAT configurations for traffic between these networks behind different interfaces of the ASA. This was different in the older softwares.

 

Maybe checking the above things should get us some information what the problem is. Naturally to confirm the situation with the ASA the "packet-tracer" result and the actual ASA configuration would be the best things to solve the problem.

 

Hope this helps :)

 

- Jouni

Stephen Sisson Tue, 07/15/2014 - 06:48
User Badges:

Hi Jouni, hope all is well

The config file listed below

ASA Version 9.0(3)
!
hostname PCSI-5520ASA-DR
domain-name PCSASA.org
enable password  encrypted
passwd  encrypted
names
!
interface GigabitEthernet0/0
 description <**TW_ISP_WAN_INT**>
 nameif outside
 security-level 0
 ip address 98.101.206.254 255.255.255.0
!
interface GigabitEthernet0/1
 description CSI_VLAN101_NETWORK
 nameif VLAN101
 security-level 100
 ip address 10.10.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 description CSI_VLAN102_NETWORK
 nameif VLAN102
 security-level 100
 ip address 10.10.2.1 255.255.255.0
!
interface GigabitEthernet0/3
 description CSI_VLAN104_NETWORK
 nameif VLAN104
 security-level 100
 ip address 10.10.4.1 255.255.255.0
!
interface Management0/0
 description <**IT_MGMT_Network**>
 nameif VLAN172
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1/0
 description CSI_VLAN106_NETWORK
 nameif VLAN106
 security-level 100
 ip address 10.10.6.1 255.255.255.0
!
interface GigabitEthernet1/1
 description CSI_VLAN107_NETWORK
 nameif VLAN107
 security-level 100
 ip address 10.10.7.1 255.255.255.0
!
interface GigabitEthernet1/2
 description CSI_VLAN108_NETWORK
 nameif VLAN108
 security-level 100
 ip address 10.10.8.1 255.255.255.0
!
interface GigabitEthernet1/3
 description CSI_VLAN109_NETWORK
 nameif VLAN109
 security-level 100
 ip address 10.10.9.1 255.255.255.0
!
boot system disk0:/asa903-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup VLAN172
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 4.2.2.1
 domain-name PCSASA.org
same-security-traffic permit inter-interface
object network OBJ_ANY
 subnet 0.0.0.0 0.0.0.0
 description NAT_Internet_Access_7_10_14
object network my_laptop
 host 172.16.1.189
 description My laptop 7_10_14
object network MY_LAPTOP
 host 172.16.1.189
object service RDP3389
 service tcp destination eq 3389
 description RDP access
object-group network IT_MGMT_Network
 description IT_Management_Network
 network-object object my_laptop
access-list outside_access_in remark test access 7-10-14
access-list outside_access_in extended permit object RDP3389 any object my_laptop
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu VLAN172 1500
mtu VLAN101 1500
mtu VLAN102 1500
mtu VLAN104 1500
mtu VLAN106 1500
mtu VLAN107 1500
mtu VLAN108 1500
mtu VLAN109 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network OBJ_ANY
 nat (any,outside) dynamic interface
object network MY_LAPTOP
 nat (VLAN172,any) static 98.101.206.253
!
nat (VLAN172,outside) after-auto source dynamic any interface description PAT_NAT_INTERNET_ACCESS_7_10_14
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 98.101.206.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http server idle-timeout 480
http server session-timeout 480
http  VLAN172
http  outside
http outside
http  outside
http  outside
http  outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet  VLAN172
telnet timeout 60
ssh outside
ssh  outside
ssh  outside
ssh  outside
ssh  outside
ssh  VLAN172
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 208.87.104.40 source outside
ntp server 64.113.32.9 source outside
ntp server 50.22.155.163 source outside

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3c350ef9cbd162df64ce65c252786fd7
: end

We have only one Cisco 3750 switch, connecting all the clients to, routing everything to the 5520 ASA for internet access

 

Thanks

Jouni Forss Tue, 07/15/2014 - 07:10
User Badges:
  • Super Bronze, 10000 points or more

Hi,

 

Judging from your ASA configuration the C3750 is not doing any routing as there is no static "route" configurations on the ASA pointing towards any of the interface other than the WAN interface of the ASA.

 

Is the ASA set as the default gateway for each networks hosts or is there some Vlan interface for each Vlan configured on the 3750 which is acting as the default gateway?

 

At this point it would seem to me that the problem is possibly in the C3750 configurations. Your ASA configuration seems to suggest that there should only be a switched network behind it (as there is no routes pointing towards LAN). Yet you say that the 3750 is routing everything to the ASA?

 

I guess you should check the 3750 configurations or share some configurations.

 

- Jouni

 

 

Stephen Sisson Tue, 07/15/2014 - 07:45
User Badges:

Jouni,

The 3750 switch is directly connected for all internal networks - can ping each subnet from either device, do we need routing setup on both the ASA /3750 switch?

on the 3750 we have ip route 0.0.0.0 0.0.0.0 to the ASA 172.16.1.1 management interface

Jouni Forss Tue, 07/15/2014 - 07:53
User Badges:
  • Super Bronze, 10000 points or more

Hi,

 

But is the 3750 acting as the gateway for the LAN networks or do the computers use the ASAs interface IP address as the gateway? How are the 3750 interfaces connected to the ASA configured?

 

If your 3750 is the gateway for all the LAN networks then the above mentioned default route configurations on the 3750 means that ALL traffic out from the LAN networks will be forwarded through the ASA interface that holds the IP address 172.16.1.1

 

Though then again if all of the Vlans were using the 3750 as their default gateway then the traffic should flow just fine between the LAN networks.

 

I would really need to see the 3750 configurations or possibly atleast the routing table of the 3750 to see how its set up.

 

- Jouni

Stephen Sisson Tue, 07/15/2014 - 08:13
User Badges:

The 3750 stack - routing information

PCS_LAB_SW1(config)#do sh run | b ip route
ip route 0.0.0.0 0.0.0.0 172.16.1.1

Gateway of last resort is 172.16.1.1 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, Vlan172
     10.0.0.0/24 is subnetted, 7 subnets
C       10.10.1.0 is directly connected, Vlan101
C       10.10.2.0 is directly connected, Vlan102
C       10.10.4.0 is directly connected, Vlan104
C       10.10.6.0 is directly connected, Vlan106
C       10.10.7.0 is directly connected, Vlan107
C       10.10.8.0 is directly connected, Vlan108
C       10.10.9.0 is directly connected, Vlan109
S*   0.0.0.0/0 [1/0] via 172.16.1.1

Jouni Forss Tue, 07/15/2014 - 08:32
User Badges:
  • Super Bronze, 10000 points or more

Hi,

 

I would still need to know when the hosts get an IP address from any of the above LAN networks what is the gateway IP address they get/use? Is the Vlan interface IP address on the 3750 or the ASA interface IP address?

 

- Jouni

 

 

Stephen Sisson Tue, 07/15/2014 - 08:37
User Badges:

My bad - sorry about that

All servers /clients will use static addressing

The only way I can make this work is assign the default gateway to the ASA for all servers /clients.

When I use the 3750 stack as their default gateway they have no internet access, they can't access any other subnet.

I'm sure we missed something on the 3750 stack or the 5520 ASA

Correct Answer
Jouni Forss Tue, 07/15/2014 - 09:07
User Badges:
  • Super Bronze, 10000 points or more

Hi,

 

If you want to use the ASA to control traffic between all the networks then you should not really configure any routing on the 3750. You should simply configure the amount of Vlans you need on the 3750.

 

At the moment it seems to me that you are using separate physical interface on the ASA for each of the Vlans ( I presume each ASA interface is connected to an Access port on the 3750 belonging to the specific Vlan). Typically though you would configure a Trunk interface between the ASA and 3750 so you dont have to spend all the physical interfaces on the ASA. You dont necesarily have to use only 1 Trunk interface. You can separate the Vlans to several Trunk interfaces. Then again you could also configure a Port-Channel between the 3750 and Trunk the Vlans to the ASA through that.

 

At this point I would imagine the simples way for you to go that doesnt require that many changes would be to configure every single host to use the ASA interface IP address (for the Vlan in question) as their gateway. You can also remove the IP address from most of the Vlan interfaces. If you need one for Management purposes then I guess you could leave the Vlan172 with an IP address so you can connect to the 3750 remotely if needed.

 

If you want to use DHCP then you can either use the ASA as DHCP server for each of the interfaces or you can setup some DHCP server on some Vlan and configure the ASA with DHCP Relay on the interfaces so they relay the DHCP traffic to a server behind another ASA interface.

 

- Jouni

 

 

 

 

 

Actions

This Discussion