Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1307
Views
0
Helpful
3
Replies

ASA 5510 Unable to get internal networks talking to each other

Go to solution
VampiressX
Level 1
Level 1

‎04-23-2012 10:06 PM - edited ‎03-11-2019 03:57 PM

Hey,

In need of some help here. I am tasked with transfering all clients from one subnet to the other. I figure the nicest way to do this is to temporarily have the subnets talk to each other in an endeavour to avoid as much downtime as possible. The two internal subnets are:

192.168.0.0/24

192.168.43.0/24 (the intended migration network)

I am beating my head against the desk here as I dont seem to be getting anywhere after the changes I have made. The current configuration is as such:

ASA Version 8.2(5) 
!
hostname ciscoasa
domain-name *****
enable password ***** encrypted
passwd ***** encrypted
names
 *****
 *****
 *****
 *****
!
interface Ethernet0/0
 description Internode SOHO
 nameif Outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/1
 description *****
 nameif Inside
 security-level 100
 ip address 192.168.43.1 255.255.255.0 
!
interface Ethernet0/2
 description *****
 nameif Main_Network
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
interface Ethernet0/3
 description *****
 nameif DMZ
 security-level 100
 ip address  *****
!
interface Management0/0
 nameif management
 security-level 100
 ip address  ***** 
 management-only
!
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server  *****
 name-server  *****
 domain-name  *****
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object udp
 protocol-object tcp
access-list Outside_1_cryptomap extended permit ip 192.168.43.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list Inside_nat0_outbound extended permit ip 192.168.43.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list Inside_access_in extended permit ip 10.0.0.0 255.0.0.0 192.168.43.0 255.255.255.0 
access-list Inside_access_in extended permit ip 192.168.43.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list outside extended permit ip any 192.168.0.0 255.255.255.0 
access-list outside extended permit ip any any 
access-list Main_Network_access_in extended permit ip 192.168.0.0 255.255.255.0 any 
access-list Main_Network_access_in extended permit ip any 192.168.0.0 255.255.255.0 
access-list Main_Network_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.43.0 255.255.255.0 
access-list Main_Network_access_in extended permit ip 192.168.43.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list Main_Network_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 any 
access-list FTPinDMZ extended permit ip 203.30.186.0 255.255.255.0 any 
access-list FTPinDMZ extended permit ip any 203.30.186.0 255.255.255.0 
access-list Internal_Traversal extended permit ip 192.168.0.0 255.255.255.0 192.168.43.0 255.255.255.0 
access-list Internal_Traversal extended permit ip 192.168.43.0 255.255.255.0 192.168.0.0 255.255.255.0 
pager lines 24
logging enable
logging buffered errors
logging asdm errors
logging flash-bufferwrap
mtu Outside 1492
mtu Inside 1500
mtu Main_Network 1500
mtu management 1500
mtu DMZ 1500
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 0 access-list Internal_Traversal
nat (Inside) 0 0.0.0.0 0.0.0.0
nat (Main_Network) 1 access-list Main_Network_nat0_outbound
nat (Main_Network) 1 192.168.0.0 255.255.255.0
nat (DMZ) 1 203.30.186.0 255.255.255.0
static (Main_Network,Outside) tcp interface www Mail02 www netmask 255.255.255.255 
static (Main_Network,Outside) tcp interface smtp Mail02 smtp netmask 255.255.255.255 
static (Main_Network,Outside) tcp interface ssh Mail02 ssh netmask 255.255.255.255 
static (Main_Network,Outside) tcp interface 993 Mail02 993 netmask 255.255.255.255 
static (Main_Network,Outside) tcp interface 995 Mail02 995 netmask 255.255.255.255 
static (Main_Network,Outside) tcp interface https Mail02 https netmask 255.255.255.255 
static (Main_Network,Outside) udp interface 60001 192.168.0.185 3389 netmask 255.255.255.255 
static (Main_Network,Outside) tcp interface 60001 192.168.0.185 3389 netmask 255.255.255.255 
 *****
 *****
static (Main_Network,Inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 norandomseq nailed 
access-group outside in interface Outside
access-group Main_Network_access_in in interface Main_Network
route Outside 10.0.3.0 255.255.255.0 SOHO_ADSL 1
route Outside 192.168.0.0 255.255.255.0 SOHO_ADSL 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 200.200.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs 
crypto map Outside_map 1 set peer *****
crypto map Outside_map 1 set transform-set ESP-3DES-MD5
crypto map Outside_map interface Outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
 *****
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
!
hostname ciscoasa
domain-name *****
enable password ***** encrypted
passwd ***** encrypted
names
 *****
 *****
 *****
 *****
!
interface Ethernet0/0
 description Internode SOHO
 nameif Outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/1
 description *****
 nameif Inside
 security-level 100
 ip address 192.168.43.1 255.255.255.0 
!
interface Ethernet0/2
 description *****
 nameif Main_Network
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
interface Ethernet0/3
 description *****
 nameif DMZ
 security-level 100
 ip address  *****
!
interface Management0/0
 nameif management
 security-level 100
 ip address  ***** 
 management-only
!
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server  *****
 name-server  *****
 domain-name  *****
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object udp
 protocol-object tcp
access-list Outside_1_cryptomap extended permit ip 192.168.43.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list Inside_nat0_outbound extended permit ip 192.168.43.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list Inside_access_in extended permit ip 10.0.0.0 255.0.0.0 192.168.43.0 255.255.255.0 
access-list Inside_access_in extended permit ip 192.168.43.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list outside extended permit ip any 192.168.0.0 255.255.255.0 
access-list outside extended permit ip any any 
access-list Main_Network_access_in extended permit ip 192.168.0.0 255.255.255.0 any 
access-list Main_Network_access_in extended permit ip any 192.168.0.0 255.255.255.0 
access-list Main_Network_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.43.0 255.255.255.0 
access-list Main_Network_access_in extended permit ip 192.168.43.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list Main_Network_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 any 
access-list FTPinDMZ extended permit ip *****
access-list FTPinDMZ extended permit ip any *****
access-list Internal_Traversal extended permit ip 192.168.0.0 255.255.255.0 192.168.43.0 255.255.255.0 
access-list Internal_Traversal extended permit ip 192.168.43.0 255.255.255.0 192.168.0.0 255.255.255.0 
pager lines 24
logging enable
logging buffered errors
logging asdm errors
logging flash-bufferwrap
mtu Outside 1492
mtu Inside 1500
mtu Main_Network 1500
mtu management 1500
mtu DMZ 1500
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 0 access-list Internal_Traversal
nat (Inside) 0 0.0.0.0 0.0.0.0
nat (Main_Network) 1 access-list Main_Network_nat0_outbound
nat (Main_Network) 1 192.168.0.0 255.255.255.0
nat (DMZ) 1 ****
static (Main_Network,Outside) tcp interface www Mail02 www netmask 255.255.255.255 
static (Main_Network,Outside) tcp interface smtp Mail02 smtp netmask 255.255.255.255 
static (Main_Network,Outside) tcp interface ssh Mail02 ssh netmask 255.255.255.255 
static (Main_Network,Outside) tcp interface 993 Mail02 993 netmask 255.255.255.255 
static (Main_Network,Outside) tcp interface 995 Mail02 995 netmask 255.255.255.255 
static (Main_Network,Outside) tcp interface https Mail02 https netmask 255.255.255.255 
static (Main_Network,Outside) udp interface 60001 192.168.0.185 3389 netmask 255.255.255.255 
static (Main_Network,Outside) tcp interface 60001 192.168.0.185 3389 netmask 255.255.255.255 
 *****
 *****
static (Main_Network,Inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 norandomseq nailed 
access-group outside in interface Outside
access-group Main_Network_access_in in interface Main_Network
route Outside 10.0.3.0 255.255.255.0 SOHO_ADSL 1
route Outside 192.168.0.0 255.255.255.0 SOHO_ADSL 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 200.200.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs 
crypto map Outside_map 1 set peer 159.153.222.18 
crypto map Outside_map 1 set transform-set ESP-3DES-MD5
crypto map Outside_map interface Outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
 *****
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
 *****
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 130
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 10800
telnet timeout 5
ssh 192.168.43.0 255.255.255.0 Inside
ssh 192.168.0.0 255.255.255.0 Main_Network
ssh timeout 5
console timeout 0
management-access Main_Network
vpdn username  ***** password  ***** store-local
dhcp-client client-id interface Outside
dhcpd address 200.200.1.2-200.200.1.200 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username  ***** password  ***** encrypted
username  ***** password  ***** encrypted
tunnel-group  ***** type ipsec-l2l  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
tunnel-group  ***** ipsec-attributes
 pre-shared-key *
tunnel-group  ***** type ipsec-l2l
tunnel-group  ***** ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
 *****
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 130
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 10800
telnet timeout 5
ssh 192.168.43.0 255.255.255.0 Inside
ssh 192.168.0.0 255.255.255.0 Main_Network
ssh timeout 5
console timeout 0
management-access Main_Network
vpdn username  ***** password  ***** store-local
dhcp-client client-id interface Outside
dhcpd address 200.200.1.2-200.200.1.200 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username  ***** password  ***** encrypted
username  ***** password  ***** encrypted
tunnel-group  ***** type ipsec-l2l  message-length maximum 512

Upgrading the firmware is not really an option

Hoping someone can help. Perhaps its just something right in front of me that Im missing.

Thanks in advance for any help

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-24-2012 12:48 AM

Hi,

Try adding same-security permit inter-interface. (you have the other one configured that allows traffic to enter and leave on the same interface) This should permit traffic between 2 interfaces of equal security-level

Also you should configure an access-list for the inside interface.

Try the connections after that.

You also seem to lack basic PAT configuration for Inside interface for internet traffic. (As you only have ID 0 NAT statements configured)

For ICMP between the 2 networks please add

policy-map global_policy

class inspection_default

  inspect icmp

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-24-2012 12:48 AM

Hi,

Try adding same-security permit inter-interface. (you have the other one configured that allows traffic to enter and leave on the same interface) This should permit traffic between 2 interfaces of equal security-level

Also you should configure an access-list for the inside interface.

Try the connections after that.

You also seem to lack basic PAT configuration for Inside interface for internet traffic. (As you only have ID 0 NAT statements configured)

For ICMP between the 2 networks please add

policy-map global_policy

class inspection_default

  inspect icmp

- Jouni

0 Helpful

Go to solution
VampiressX
Level 1
Level 1

‎04-24-2012 02:56 AM

OMG thankyou so much Jouni! Awesome. I just cant believe I missed that one. So you are actually required to have both statements... inter and intra.

I also noticed that ive double posted the config. God the things you do. Anywho, my very special thanks to you and you have saved me many days of heartache with that. Cheers m8!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to VampiressX

‎04-24-2012 11:16 PM

Hi,

Glad that it works now

To my understanding the command with the "intra" parameter is for situations where the traffic is entering and leaving the same interface. One of the most common situations where I need this command is when a customer has a Client VPN configured and the VPN Client user needs to use Internet through the VPN Client (Outside to Outside interface traffic)

The "inter" parameter refers to situations where you need to pass traffic between 2 firewall interfaces which are configured with the same "security-level" value (As you did in this case).

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card