Solved: ASA 5505 Traffic flow between interfaces

rkentpayne · ‎06-13-2012

Good Morning,

I am fairly new to configuring ASA's so I wonder if anyone could help with an issue I am having. I have an ASA 5505 with one outside interface and three inside interfaces (inside1, inside2, and management). I need inside1 and inside2 to be able to talk to eachother but cannot work out how to make this happen. They are both configured to the same security level and the 'Enable traffic between interfaces with same security level' box is ticked. I have also tried adding appropriate NAT and Access rules. The packet tracer suggests the rules are correct for allowing traffic flow between interfaces but obviosly this may not be the case. Any ideas how to make this work?

I have attached my config for reference.

Thanks in advance,

Russell

Jennifer Halim · ‎06-14-2012

With the same security level, it should work.

If you just try to ping, please add ICMP inspection:

policy-map global_policy

class inspection_default

inspect icmp

Also check to see if you have any firewall enabled on the server/host that you are trying to ping as it normally will block ping from different subnet. Disable it temporarily while testing, or configure rule to allow inbound ICMP. By default it allows ping from the same subnet so you should be able to ping the host from the ASA itself.

View solution in original post

Jennifer Halim · ‎06-13-2012

You can remove the following commands:

static (inside1,inside1) 172.16.1.0 access-list inside1_nat_static

static (inside2,inside2) 192.168.2.0 access-list inside2_nat_static

access-group inside1_access_in in interface inside1

access-group inside1_access_out out interface inside1

access-group inside2_access_in in interface inside2

access-group inside2_access_out out interface inside2

Then configure the following:

static (inside1,inside2) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Finally, "clear xlate" to clear any existing translations.

That should allow access between inside1 and inside2

Tagir Temirgaliyev · ‎06-13-2012

Hi

Correct static translation rules

static (inside1,inside12) 172.16.1.0 access-list inside1_nat_static

static (inside2,inside21) 192.168.2.0 access-list inside2_nat_static

also

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

because IP includes ICMP UDP TCP

Tagir Temirgaliyev · ‎06-13-2012

access-group inside1_access_in in interface inside1

access-group inside1_access_out out interface inside1

access-group inside2_access_in in interface inside2

access-group inside2_access_out out interface inside2

this access-group is pointless because it allows all traffic

Tagir Temirgaliyev · ‎06-13-2012

Hi Jennifer

I have not seen that already answered

rkentpayne · ‎06-13-2012

Thanks all for the replies. I have made the suggested changes but the two interfaces still don't seem to be able to talk to eachother. Machines on the inside1 network can ping eachother but cannot ping machines on the inside2 network and vice versa. If I do a traceroute from one interface to another it times out on the first hop, so doesnt give much info. I cannot see anything else wrong with the rulebase that may be stopping the flow. Any ideas?

Kind Regards,

Russell

Tagir Temirgaliyev · ‎06-13-2012

Hi

Do Machines on the inside1 network have default gateway 192.168.2.254 ?

Do Machines on the inside2 network have default gateway 172.16.1.254 ?

write here

ipconfig /all

from Machines on the inside1 and inside2

probably there is not default gateway in inside1 network

!

dhcpd address 192.168.2.100-192.168.2.253 inside1

dhcpd dns 194.72.6.57 194.73.82.242 interface inside1

dhcpd enable inside1

!

and dont forget to rate post

rkentpayne · ‎06-14-2012

Yes, default gateway is set correctly. Machines on the inside1 network all have the default gateway 192.168.2.254 and the inside2 network have 172.16.1.254. All machines can also successfully ping their own default gateway. This puzzled me as well becuase I thought the traceroute would at least get to the default gateway (ip address of the source interface), even if it goes no further, but it does not even get that far.

Kind Regards,

Russell

Tagir Temirgaliyev · ‎06-14-2012

Hi

first of all try to remove the access-list inside1 and inside2

conf t

no access-group inside1_access_in in interface inside1

no access-group inside1_access_out out interface inside1

no access-group inside2_access_in in interface inside2

no access-group inside2_access_out out interface inside2

exi

and check connectivity from inside1 to inside2

if not

so mistake is in static translation rules

write here the result.

we will continue

rkentpayne · ‎06-14-2012

Hi, I have removed the above but still unable to ping between networks. Up-to-date config printed below.

Kind Regards,

Russell

: Saved

:

ASA Version 8.2(5)

!

hostname cerberus

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 42

!

interface Ethernet0/2

switchport access vlan 32

!

interface Ethernet0/3

switchport access vlan 22

!

interface Ethernet0/4

switchport access vlan 12

!

interface Ethernet0/5

switchport access vlan 52

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

interface Vlan2

nameif outside

security-level 0

ip address 195.171.131.50 255.255.255.240

!

interface Vlan12

nameif inside1

security-level 50

ip address 192.168.2.254 255.255.255.0

!

interface Vlan22

nameif inside2

security-level 50

ip address 172.16.1.254 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_5

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_6

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

access-list inside1_access_out extended permit ip any any

access-list inside1_access_in extended permit ip any any

access-list management_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any

access-list management_access_out extended permit object-group DM_INLINE_PROTOCOL_4 any any

access-list inside1_nat_static extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list inside2_nat_static extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside2_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any

access-list inside2_access_out extended permit object-group DM_INLINE_PROTOCOL_6 any any

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside1 1500

mtu inside2 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (management) 1 192.168.1.0 255.255.255.0

nat (inside1) 1 192.168.2.0 255.255.255.0

nat (inside2) 1 172.16.1.0 255.255.255.0

static (inside1,inside2) 172.16.1.0 access-list inside1_nat_static

static (inside2,inside1) 192.168.2.0 access-list inside2_nat_static

access-group management_access_in in interface management

access-group management_access_out out interface management

route outside 0.0.0.0 0.0.0.0 195.171.131.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.254 management

dhcpd dns 194.72.6.57 194.73.82.242 interface management

dhcpd enable management

!

dhcpd address 192.168.2.100-192.168.2.253 inside1

dhcpd dns 194.72.6.57 194.73.82.242 interface inside1

dhcpd enable inside1

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:31109763a4e257072caddf9574b58b53

: end

no asdm history enable

Tagir Temirgaliyev · ‎06-14-2012

second step is simplest static nat

conf t

no static (inside1,inside2) 172.16.1.0 access-list inside1_nat_static

no static (inside2,inside1) 192.168.2.0 access-list inside2_nat_static

static (inside2,inside1) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (inside1,inside2) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

exi

if it dosnt help

so The third step

conf t

interface Vlan22

nameif inside2

security-level 55

exi

rkentpayne · ‎06-14-2012

Thanks, ok I have tried the above, first changing the static NAT and then changing the security level of the interface. But the two networks will still not talk to eachother. I cannot figure out what could still be stopping it. Any ideas?

Kind Regards,

Russell

nkarthikeyan · ‎06-14-2012

Hi,

I guess it should work with the access-rule poermit itself. Because both the zones arfe directly connected to the firewall...

remove the current acl's and nat confs..

let both interfaces in security level...

access-list inside_1 extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0

!

access-list inside_2 extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0

!

access-group inside_1 in interface inside1

access-group inside_2 in interface inside2

!

route outside 0.0.0.0 0.0.0.0 195.171.131.50

outside nwtrok alone you need the nat to be enabled since that is getting translated in to public network....

so these all directly connected network so it should work with the ACL permit itself.....

if not working remove the vlan's and conf it as the routed interface with the same ip and try out...

definitely it should work.

Jennifer Halim · ‎06-14-2012

With the same security level, it should work.

If you just try to ping, please add ICMP inspection:

policy-map global_policy

class inspection_default

inspect icmp

Also check to see if you have any firewall enabled on the server/host that you are trying to ping as it normally will block ping from different subnet. Disable it temporarily while testing, or configure rule to allow inbound ICMP. By default it allows ping from the same subnet so you should be able to ping the host from the ASA itself.

rkentpayne · ‎06-15-2012

Jennifer, I added the ICMP inspection in and I can now ping from one network to another. Thank you very much indeed!

Thanks everyone for your help.

Kind Regards,

Russell