Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 - allow traffic between inside interfaces

Hi All - Cisco ASA Novice here...   I have a question that I'm guessing is pretty straightforward.  I trying to allow traffic between 2 inside interfaces with the same security level.  VLAN1 and VLAN15.  The are on different physical ports on the ASA.  I tried to configure this through the GUI Web interface and checked ' enable traffic between two or more interfaces with the same security levels'.  With this ASA version, I do not need NAT to allow this, correct?  What am I missing?

ASA Version 8.2(1)

!

hostname ciscoasa

enable password UMrZyv1DTPLXGFch encrypted

passwd UMrZyv1DTPLXGFch encrypted

names

name XX.YY.163.39 EDI_XX.YY.163.39

name XX.YY.163.38 EDI2_XX.YY.163.38

name 10.66.91.135 UMASS_10.66.91.135 description UMASS VPN

name 172.16.16.236 EDI2_172.16.16.236 description Polaris EDI2

name 172.16.16.235 EDI_172.16.16.235 description Polaris EDI

name 192.168.25.17 ImagingInst_192.168.25.17 description ImagingInstitute

name 192.168.25.21 ImagingInst_192.168.25.21 description ImagingInstitute

name 192.168.25.22 ImagingInst_192.168.25.22 description ImagingInstitute

name 192.168.25.8 ImagingInst_192.168.25.8 description ImagingInstitute

name 10.88.0.4 UMASS_10.88.0.4 description UMASS VPN

name 10.88.8.80 UMASS_10.88.8.80 description UMASS VPN

name 172.16.16.231 Utility_172.16.16.231 description Testing

name 172.16.16.241 MonitorInt_172.16.16.241 description MonitorInt

name AA.BB.136.26 Monitor_AA.BB.136.26 description Monitor

name AA.BB.154.135 Monitor_AA.BB.154.135 description Monitor

name XX.YY.163.40 Utility_XX.YY.163.40 description Used for  monitoring, and may be used for other

name XX.BB.188.130 Monitor_AA.BB.188.130 description MonitorTest

name 172.16.16.232 Gateway_172.16.16.232

name XX.YY.163.41 Gateway_XX.YY.163.41

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.16.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address XX.YY.163.36 255.255.255.240

!

interface Vlan5

shutdown

nameif dmz

security-level 50

no ip address

!

interface Vlan15

nameif MCBackendTraffic

security-level 100

ip address 172.22.1.220 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 15

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone GMT 0

same-security-traffic permit inter-interface

object-group network ImagingInstGroup

network-object host ImagingInst_192.168.25.17

network-object host ImagingInst_192.168.25.21

network-object host ImagingInst_192.168.25.22

network-object host ImagingInst_192.168.25.8

object-group service EDI2_Ports tcp

port-object eq https

port-object eq ssh

object-group service EDI_Ports tcp

port-object eq ftp

port-object eq ftp-data

port-object eq https

object-group network DM_INLINE_NETWORK_1

network-object host UMASS_10.66.91.135

network-object host UMASS_10.88.0.4

network-object host UMASS_10.88.8.80

object-group network DM_INLINE_NETWORK_2

network-object host Monitor_XX.YY.136.26

network-object host Monitor_XX.YY.154.135

network-object host Monitor_XX.YY.188.130

object-group service Monitor_Ports

service-object tcp-udp range 48000 48020

service-object tcp eq ssh

service-object udp eq snmp

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list outside_1_cryptomap extended permit ip 172.16.16.0 255.255.255.0 10.242.55.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 10.242.55.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host EDI2_172.16.16.236 host UMASS_10.66.91.135

access-list inside_nat0_outbound extended permit ip host EDI2_172.16.16.236 object-group ImagingInstGroup

access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list inside_nat0_outbound extended permit ip any 172.16.16.96 255.255.255.240

access-list outside_access_in extended permit tcp any host EDI2_XX.YY.163.38 object-group EDI2_Ports

access-list outside_access_in extended permit tcp any host EDI_XX.YY.163.39 object-group EDI_Ports

access-list outside_access_in extended permit object-group Monitor_Ports object-group DM_INLINE_NETWORK_2 host Utility_XX.YY.163.40

access-list outside_access_in extended permit tcp any host Gateway_XX.YY.163.41 object-group DM_INLINE_TCP_1

access-list outside_2_cryptomap extended permit ip 172.16.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list outside_3_cryptomap extended permit ip 172.16.16.0 255.255.255.0 object-group ImagingInstGroup

access-list throttle_edi_servers extended permit ip host EDI2_XX.YY.163.38 any

access-list throttle_edi_servers extended permit ip any host EDI2_XX.YY.163.38

access-list throttle_edi_servers extended permit ip host EDI_XX.YY.163.39 any

access-list throttle_edi_servers extended permit ip any host EDI_XX.YY.163.39

access-list RemoteAccessVPN_splitTunnelAcl standard permit 172.16.16.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging asdm warnings

logging mail errors

logging from-address noreply@utility..com

logging recipient-address aa@bb.com level errors

logging host inside Utility_172.16.16.231

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu MCBackendTraffic 1500

ip local pool VPNPool 172.16.16.101-172.16.16.111 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) EDI_XX.YY.163.39 EDI_172.16.16.235 netmask 255.255.255.255

static (inside,outside) EDI2_XX.YY.163.38 EDI2_172.16.16.236 netmask 255.255.255.255

static (inside,outside) Utility_XX.YY.163.40 MonitorInt_172.16.16.241 netmask 255.255.255.255

static (inside,outside) Gateway_XX.YY.163.41 Gateway_172.16.16.232 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 XX.YY.163.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.16.16.0 255.255.255.0 inside

http 10.242.55.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer AA.CC.125.146

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer AA.CC.139.26

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set peer AA.CC.56.227

crypto map outside_map 3 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 172.16.16.0 255.255.255.0 inside

telnet 10.242.55.0 255.255.255.0 outside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns XX.YY.136.155 XX.YY.136.100

dhcpd auto_config outside

!

dhcpd address 172.16.16.5-172.16.16.100 inside

dhcpd dns XX.YY.136.155 XX.YY.136.100 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec svc

group-policy RemoteAccessVPN internal

group-policy RemoteAccessVPN attributes

dns-server value 172.16.16.230

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteAccessVPN_splitTunnelAcl

default-domain value .com

username remote password HP6P1nlQDIJY7Y8G encrypted privilege 0

username remote attributes

vpn-group-policy RemoteAccessVPN

tunnel-group AA.CC.125.146 type ipsec-l2l

tunnel-group AA.CC.125.146 ipsec-attributes

pre-shared-key *

tunnel-group AA.CC.139.26 type ipsec-l2l

tunnel-group AA.CC.139.26 ipsec-attributes

pre-shared-key *

tunnel-group AA.CC.56.227 type ipsec-l2l

tunnel-group AA.CC.56.227 ipsec-attributes

pre-shared-key *

tunnel-group RemoteAccessVPN type remote-access

tunnel-group RemoteAccessVPN general-attributes

address-pool VPNPool

default-group-policy RemoteAccessVPN

tunnel-group RemoteAccessVPN ipsec-attributes

pre-shared-key *

!

class-map throttle-me

match access-list throttle_edi_servers

!

!

policy-map throttle-policy

class throttle-me

  police output 524000 4000

  police input 524000 4000

!

service-policy throttle-policy interface outside

smtp-server 172.16.16.231

prompt hostname context

Cryptochecksum:884757d08c2dab5220a40758f543f8fb

: end

Everyone's tags (1)
1 REPLY
New Member

ASA 5505 - allow traffic between inside interfaces

Would this work?

access-list nonat extended permit ip 172.22.1.0 255.255.0.0 172.16.16.0 255.255.255.0

access-list nonat extended permit ip 172.16.16.0 255.255.255.0 172.22.1.0 255.255.0.0

nat (inside) 0 access-list nonat

nat (MCBackendTraffic) 0 access-list nonat

2583
Views
0
Helpful
1
Replies