06-13-2012 03:02 AM - edited 03-11-2019 04:18 PM
Good Morning,
I am fairly new to configuring ASA's so I wonder if anyone could help with an issue I am having. I have an ASA 5505 with one outside interface and three inside interfaces (inside1, inside2, and management). I need inside1 and inside2 to be able to talk to eachother but cannot work out how to make this happen. They are both configured to the same security level and the 'Enable traffic between interfaces with same security level' box is ticked. I have also tried adding appropriate NAT and Access rules. The packet tracer suggests the rules are correct for allowing traffic flow between interfaces but obviosly this may not be the case. Any ideas how to make this work?
I have attached my config for reference.
Thanks in advance,
Russell
Solved! Go to Solution.
06-14-2012 12:01 PM
With the same security level, it should work.
If you just try to ping, please add ICMP inspection:
policy-map global_policy
class inspection_default
inspect icmp
Also check to see if you have any firewall enabled on the server/host that you are trying to ping as it normally will block ping from different subnet. Disable it temporarily while testing, or configure rule to allow inbound ICMP. By default it allows ping from the same subnet so you should be able to ping the host from the ASA itself.
06-13-2012 04:00 AM
You can remove the following commands:
static (inside1,inside1) 172.16.1.0 access-list inside1_nat_static
static (inside2,inside2) 192.168.2.0 access-list inside2_nat_static
access-group inside1_access_in in interface inside1
access-group inside1_access_out out interface inside1
access-group inside2_access_in in interface inside2
access-group inside2_access_out out interface inside2
Then configure the following:
static (inside1,inside2) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
Finally, "clear xlate" to clear any existing translations.
That should allow access between inside1 and inside2
06-13-2012 04:10 AM
Hi
Correct static translation rules
static (inside1,inside12) 172.16.1.0 access-list inside1_nat_static
static (inside2,inside21) 192.168.2.0 access-list inside2_nat_static
also
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
because IP includes ICMP UDP TCP
06-13-2012 04:13 AM
access-group inside1_access_in in interface inside1
access-group inside1_access_out out interface inside1
access-group inside2_access_in in interface inside2
access-group inside2_access_out out interface inside2
this access-group is pointless because it allows all traffic
06-13-2012 04:17 AM
Hi Jennifer
I have not seen that already answered
06-13-2012 08:33 AM
Thanks all for the replies. I have made the suggested changes but the two interfaces still don't seem to be able to talk to eachother. Machines on the inside1 network can ping eachother but cannot ping machines on the inside2 network and vice versa. If I do a traceroute from one interface to another it times out on the first hop, so doesnt give much info. I cannot see anything else wrong with the rulebase that may be stopping the flow. Any ideas?
Kind Regards,
Russell
06-13-2012 07:55 PM
Hi
Do Machines on the inside1 network have default gateway 192.168.2.254 ?
Do Machines on the inside2 network have default gateway 172.16.1.254 ?
write here
ipconfig /all
from Machines on the inside1 and inside2
probably there is not default gateway in inside1 network
!
dhcpd address 192.168.2.100-192.168.2.253 inside1
dhcpd dns 194.72.6.57 194.73.82.242 interface inside1
dhcpd enable inside1
!
and dont forget to rate post
06-14-2012 02:14 AM
Yes, default gateway is set correctly. Machines on the inside1 network all have the default gateway 192.168.2.254 and the inside2 network have 172.16.1.254. All machines can also successfully ping their own default gateway. This puzzled me as well becuase I thought the traceroute would at least get to the default gateway (ip address of the source interface), even if it goes no further, but it does not even get that far.
Kind Regards,
Russell
06-14-2012 02:56 AM
Hi
first of all try to remove the access-list inside1 and inside2
conf t
no access-group inside1_access_in in interface inside1
no access-group inside1_access_out out interface inside1
no access-group inside2_access_in in interface inside2
no access-group inside2_access_out out interface inside2
exi
and check connectivity from inside1 to inside2
if not
so mistake is in static translation rules
write here the result.
we will continue
06-14-2012 03:39 AM
Hi, I have removed the above but still unable to ping between networks. Up-to-date config printed below.
Kind Regards,
Russell
: Saved
:
ASA Version 8.2(5)
!
hostname cerberus
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 42
!
interface Ethernet0/2
switchport access vlan 32
!
interface Ethernet0/3
switchport access vlan 22
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 52
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface Vlan2
nameif outside
security-level 0
ip address 195.171.131.50 255.255.255.240
!
interface Vlan12
nameif inside1
security-level 50
ip address 192.168.2.254 255.255.255.0
!
interface Vlan22
nameif inside2
security-level 50
ip address 172.16.1.254 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list inside1_access_out extended permit ip any any
access-list inside1_access_in extended permit ip any any
access-list management_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list management_access_out extended permit object-group DM_INLINE_PROTOCOL_4 any any
access-list inside1_nat_static extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list inside2_nat_static extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside2_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any
access-list inside2_access_out extended permit object-group DM_INLINE_PROTOCOL_6 any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside1 1500
mtu inside2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (management) 1 192.168.1.0 255.255.255.0
nat (inside1) 1 192.168.2.0 255.255.255.0
nat (inside2) 1 172.16.1.0 255.255.255.0
static (inside1,inside2) 172.16.1.0 access-list inside1_nat_static
static (inside2,inside1) 192.168.2.0 access-list inside2_nat_static
access-group management_access_in in interface management
access-group management_access_out out interface management
route outside 0.0.0.0 0.0.0.0 195.171.131.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 management
dhcpd dns 194.72.6.57 194.73.82.242 interface management
dhcpd enable management
!
dhcpd address 192.168.2.100-192.168.2.253 inside1
dhcpd dns 194.72.6.57 194.73.82.242 interface inside1
dhcpd enable inside1
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:31109763a4e257072caddf9574b58b53
: end
no asdm history enable
06-14-2012 04:15 AM
second step is simplest static nat
conf t
no static (inside1,inside2) 172.16.1.0 access-list inside1_nat_static
no static (inside2,inside1) 192.168.2.0 access-list inside2_nat_static
static (inside2,inside1) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (inside1,inside2) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
exi
if it dosnt help
so The third step
conf t
interface Vlan22
nameif inside2
security-level 55
exi
06-14-2012 06:03 AM
Thanks, ok I have tried the above, first changing the static NAT and then changing the security level of the interface. But the two networks will still not talk to eachother. I cannot figure out what could still be stopping it. Any ideas?
Kind Regards,
Russell
06-14-2012 10:36 AM
Hi,
I guess it should work with the access-rule poermit itself. Because both the zones arfe directly connected to the firewall...
remove the current acl's and nat confs..
let both interfaces in security level...
access-list inside_1 extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
!
access-list inside_2 extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!
access-group inside_1 in interface inside1
access-group inside_2 in interface inside2
!
route outside 0.0.0.0 0.0.0.0 195.171.131.50
outside nwtrok alone you need the nat to be enabled since that is getting translated in to public network....
so these all directly connected network so it should work with the ACL permit itself.....
if not working remove the vlan's and conf it as the routed interface with the same ip and try out...
definitely it should work.
06-14-2012 12:01 PM
With the same security level, it should work.
If you just try to ping, please add ICMP inspection:
policy-map global_policy
class inspection_default
inspect icmp
Also check to see if you have any firewall enabled on the server/host that you are trying to ping as it normally will block ping from different subnet. Disable it temporarily while testing, or configure rule to allow inbound ICMP. By default it allows ping from the same subnet so you should be able to ping the host from the ASA itself.
06-15-2012 08:12 AM
Jennifer, I added the ICMP inspection in and I can now ping from one network to another. Thank you very much indeed!
Thanks everyone for your help.
Kind Regards,
Russell
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide