Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA with two trusted interfaces

I'm going nuts with this ASA5505. This is a secondary firewall used only in emergencies when the primary Checkpoint failes.

The basics, it has two trusted interfaces, E0/1 and E0/2-6. E0/1, inside2 has 192.168.01/29 and inside is 192.168.200.1/24.  I'd like any traffic to be allowed from inside and inside2 to outside and any traffic from the inside interfaces should be routed. No restrictions should apply between the two interfaces.

inside works just fine but no traffic is going out of inside2, not to outside or to inside.

1 ACCEPTED SOLUTION

Accepted Solutions

ASA with two trusted interfaces

same-security-traffic permit inter-interface  command  seems to be missing in this config which will allow inside to communicate inside2.

8 REPLIES
Red

ASA with two trusted interfaces

Cna you share your configuraion? That woudl make it easier.

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA with two trusted interfaces

ASA5505# show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname ASA5505
enable password d5uVb34W3WysZeUQ encrypted
passwd d5uVb34W3WysZeUQ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 91.150.44.37 255.255.255.248
!
interface Vlan15
nameif inside2
security-level 100
ip address 192.168.0.1 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 15
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list dmz_access_in remark Implicit rule: Permit all traffic to less secure networks
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq ssh
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
mtu inside2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside control-plane
route outside 0.0.0.0 0.0.0.0 91.150.44.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.200.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 87.108.20.70 source outside prefer
webvpn
username admin01 password SMkUnOJcgOVHlyRx encrypted privilege 15
!
!
prompt hostname context
Cryptochecksum:05f052044953a19c020dcf217571cd86
: end

Trying to figure out the rules, so right now it's just the basic setup. Getting interface2 out to the internet would be an improvment. inside works for the moment but I can't access inside2 from inside.

ASA with two trusted interfaces

same-security-traffic permit inter-interface  command  seems to be missing in this config which will allow inside to communicate inside2.

New Member

ASA with two trusted interfaces

I might have been a little hasty. The traffic flows between the two inside networks now, but inside2 still can't access the outside. Even if the rules for Inside and Inside2 are the same.

ASA with two trusted interfaces

Add this in your configuration then test the connections.

nat (inside2) 1 0.0.0.0 0.0.0.0

Thanks

Ajay

New Member

ASA with two trusted interfaces

I forgot the dynamic nat rule while testing. So everything works as it should now. Thanks guys.

New Member

ASA with two trusted interfaces

While we are here, in inside2 there is a router 192.168.0.2 and behind it is the 192.168.100.0/24 network. To get the ASA to route to it I only need to add a static route right?

ASA with two trusted interfaces

Yes

route inside2  x.x.x.x x.x.x.x  pointing to 192.168.0.2

382
Views
0
Helpful
8
Replies