Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 intervlan routing

Hi,

Could you please help to advise? I have issue on my project . I have already setup the ASA 5510 and configured eth0 for outside ( security-level 0) , eth1 for DMZ (security-level 50 ) and eth3 for internal network ( security-level 100 ). I want to route / ftp to ping / ftp from each VLAN to another .

I have configured the necessary ACL to allow the traffic ( DMZ <=> Outside ) interfaces .

Using packet tracer from Outside to DMZ , the packet is allowed. But I can't ping / ftp from one interface to another . Pls. see the attached screen shot.

But according to what i ve read from this forum, "  If you are trying inter-vlan routing, then make sure that both sub-interfaces have a nameif and security level set to same value."

              Does it apply to DMZ , internal and external interfaces with diff security level ? Really appreciate your advise since I am now confused.

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5510 intervlan routing

Hi,

In firewall terminology, from Higher Security level to access lower securtiy level Only nat is required, From  Lower Security level to higher security level an access-list or conduit must be used to permit the traffic.

Your configuration looks Ok except that you dont have dynamic Nat for the inside Network to DMZ and Outside.

For ASA version 8.3 , The configuration is slightly different, please add the following commands and check out your Access:

object network obj-192.25.130.0   subnet 192.25.130.0 255.255.255.0   nat (inside,outside) dynamic 192.25.152.250
object network obj-192.25.130.0-01   subnet 192.25.130.0 255.255.255.0   nat (inside,dmz1) dynamic 192.25.156.250
object network obj-192.25.130.0-02   subnet 192.25.130.0 255.255.255.0   nat (inside,dmz2) dynamic 192.25.154.250

HTH

Mohamed

17 REPLIES
Cisco Employee

Re: ASA 5510 intervlan routing

For traffic to and from inside and DMZ, you would need to configure static 1:1 NAT in addition to the access-list to permit the traffic through.

Assuming that your inside subnet is 172.25.152.0/24, then you would need to configure the following:

static (inside,dmz) 172.25.152.0 172.25.152.0 netmask 255.255.255.0

Then "clear xlate" after the above. You should be able to access to and from between inside and dmz, providing that you already configure the access-list to permit the traffic.

New Member

Re: ASA 5510 intervlan routing

Sorry,late response,Jennifer. I still cannot resolve .

My requirement is

( 1 )  I'd like to ssh/ ftp  from internal server to DMZ server

( 2 )  would like to ssh / telnet access to Router from internal network. ( currently no way to control/ configure RTR from internal segment unless using console access )

( 3 )  outside < --- > DMZ ftp traffic . And also But the current config still doen't fullfill my requirement. Kindly take note my FW is ASA Version 8.3(1)with 5510 HW. My config is as per attach. What could be the blocking issue?

Re: ASA 5510 intervlan routing

Hi,

In firewall terminology, from Higher Security level to access lower securtiy level Only nat is required, From  Lower Security level to higher security level an access-list or conduit must be used to permit the traffic.

Your configuration looks Ok except that you dont have dynamic Nat for the inside Network to DMZ and Outside.

For ASA version 8.3 , The configuration is slightly different, please add the following commands and check out your Access:

object network obj-192.25.130.0   subnet 192.25.130.0 255.255.255.0   nat (inside,outside) dynamic 192.25.152.250
object network obj-192.25.130.0-01   subnet 192.25.130.0 255.255.255.0   nat (inside,dmz1) dynamic 192.25.156.250
object network obj-192.25.130.0-02   subnet 192.25.130.0 255.255.255.0   nat (inside,dmz2) dynamic 192.25.154.250

HTH

Mohamed

New Member

Re: ASA 5510 intervlan routing

Hi sobair,

             Thanks and really appreciate your expertise. I am now able to access the DMZ server/ External Router from the internal network.But still trying the opposite direction  from the lower security level to the higer security level. (  External to DMZ server , and DMZ server to Interal Network ).So should I configure just ACL only in order to permit the traffic from lower security to higher security ?

My Current Config is

object-group service PORT_GROUPtcp

port-object eq echo

port-object eq ftp

port-object eq ssh

! Allow access from Internet to DMZ SVR

access-list OUT_IN extended permit tcp any host 192.25.154.107 object-group PORT_GROUP

Pls. see the attached for more detail.


Purple

Re: ASA 5510 intervlan routing

Hi,

if you want access from out to dmz then you need an ACL permitting the traffic from lower to higher security but you also have to do static nat from dmz server to outside.

For dmz to in you need an ACL  but you don't need static nat just dynamic nat from dmz to in.

Regards.

Don't forget to rate helpful posts.

Re: ASA 5510 intervlan routing

Hi,

No not only an ACL, you need static Nat from inside to DMZ  that allows access from DMZ network to the inside Network along with ACL applied on the DMZ interface.

HTH

Mohamed

Purple

Re: ASA 5510 intervlan routing

Hi Mohamed,

I didn't say only an ACL but also dynamic nat from dmz to in  but you're surely right about static but I can't test it as I haven't got any ASA in my lab  and it's been a long time since I've configured one.

Regards.

Don't forget to rate helpful posts.
New Member

Re: ASA 5510 intervlan routing

Hi Mohamed,

                         I have tried added the static nat . But still error message and didn't go through from DMZ to IN and OUT to DMZ.  Kindly advise. Attach is the network diagram.

( For Extenal to DMZ2 )

object network DMZ2_static

host 192.25.154.107

nat (DMZ2,OUT) static 192.25.152.246  

( For DMZ to  internal )

object network DMZ2_IN_static

host 172.25.154.107

nat ( DMZ2,IN) static 172.25.130.250

Existing ACL

access-list OUT_IN extended permit tcp any host 192.25.154.107 object-group PORT_GROUP

access-list IN_IN extended permit ip 192.25.130.0 255.255.255.0 any

Existing Group

access-group OUTSIDE_IN in interface OUT

access-group INSIDE_IN in interface IN

( error message : )

           Source IP              Source    Destination IP            Dest  (port)                                   Description

192.25.154.107

37457

192.25.130.22

22           

Inbound TCP connection denied from 192.25.154.107/37457 to 192.25.130.102/22 flags SYN on interface DMZ2

192.25.154.107

43166

192.25.130.22

21

Inbound TCP connection denied from 192.25.154.107/43166 to 192.25.130.102/21 flags SYN on interface DMZ2

 

192.25.158.60

3096

192.25.158.248

443

Teardown TCP connection 3215 for management:192.25.158.60/3096 to identity:192.25.158.248/443 duration 0:03:01 bytes 989 TCP Reset-O

192.25.158.60

4026

192.25.158.248

80

TCP access denied by ACL from 192.25.158.60/4026 to management:192.25.158.248/80

( Note: 192.25.158.60 is management station @ 158 network. )

Re: ASA 5510 intervlan routing

Hi,

From DMZ to Internal , try bellow config:


hostname(config)# object network host-obj
2.hostname(config-network-object)# host
172.25.154.107
3.hostname(config-network-object)# nat (inside,dmz) static 172.25.130.250

Access-list DMZ permit ip any host 172.25.130.250


Access-group DMZ in interface DMZ2



And From Outside to DMZ, try the following:


object network DMZ2_static

host 192.25.154.107

nat (DMZ2,OUT) static 192.25.152.246  


access-list OUTSIDE_IN extended permit tcp any host 172.25.130.250 object-group PORT_GROUP


access-group OUTSIDE_IN in interface OUT

HTH

Mohamed

1515
Views
0
Helpful
17
Replies
This widget could not be displayed.