05-31-2014 12:17 PM - edited 03-11-2019 09:16 PM
I am trying to pass traffic between two internal interfaces but am unable to. Been searching quite a bit and have tried several things to no avail. I feel like there is a simple solution here I am just not seeing. Here is the relevant portion of my config:
interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.5.1 255.255.255.0 ! interface Ethernet0/2 nameif ct-users security-level 100 ip address 10.12.0.1 255.255.0.0 ! same-security-traffic permit inter-interface ! access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip any 10.12.0.0 255.255.0.0 ! access-list inside_access_in extended permit ip any any ! nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (ct-users) 0 access-list inside_nat0_outbound nat (ct-users) 1 0.0.0.0 0.0.0.0 ! static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0 access-group outside_access_in in interface outside access-group outside_access_ipv6_in in interface outside access-group inside_access_in in interface inside access-group inside_access_ipv6_in in interface inside access-group inside_access_in in interface ct-users access-group inside_access_ipv6_in in interface ct-users
On both networks I am able to access the internet, just not traffic between each other.
A packet-tracer reveals the following (it's hitting some weird rules on the way):
cybertron# packet-tracer input inside tcp 192.168.5.2 ssh 10.12.0.2 ssh detailed Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xab827020, priority=1, domain=permit, deny=false hits=8628156090, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0 match ip ct-users 10.12.0.0 255.255.0.0 inside any static translation to 10.12.0.0 translate_hits = 0, untranslate_hits = 6 Additional Information: NAT divert to egress interface ct-users Untranslate 10.12.0.0/0 to 10.12.0.0/0 using netmask 255.255.0.0 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit ip any any Additional Information: Forward Flow based lookup yields rule: in id=0xad5bec88, priority=12, domain=permit, deny=false hits=173081, user_data=0xa8a76ac0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab829758, priority=0, domain=inspect-ip-options, deny=true hits=146139764, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: NAT-EXEMPT Subtype: rpf-check Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xad48c860, priority=6, domain=nat-exempt-reverse, deny=false hits=2, user_data=0xad4b5e98, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.5.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 6 Type: NAT-EXEMPT Subtype: Result: ALLOW Config: match ip inside any ct-users 10.12.0.0 255.255.0.0 NAT exempt translate_hits = 2, untranslate_hits = 2 Additional Information: Forward Flow based lookup yields rule: in id=0xad3b1f70, priority=6, domain=nat-exempt, deny=false hits=2, user_data=0xad62b7a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0 Phase: 7 Type: NAT Subtype: Result: ALLOW Config: static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 match ip inside 192.168.5.0 255.255.255.0 ct-users any static translation to 192.168.5.0 translate_hits = 1, untranslate_hits = 15 Additional Information: Forward Flow based lookup yields rule: in id=0xadf7a778, priority=5, domain=nat, deny=false hits=6, user_data=0xad80cfd0, cs_id=0x0, flags=0x0, protocol=0 src ip=192.168.5.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 8 Type: NAT Subtype: host-limits Result: ALLOW Config: static (inside,outside) udp 184.73.2.1 1514 192.168.5.2 1514 netmask 255.255.255.255 match udp inside host 192.168.5.2 eq 1514 outside any static translation to 184.73.2.1/1514 translate_hits = 0, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xab8e2928, priority=5, domain=host, deny=false hits=9276881, user_data=0xab8e1d20, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.5.2, mask=255.255.255.255, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 9 Type: NAT Subtype: rpf-check Result: ALLOW Config: static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0 match ip ct-users 10.12.0.0 255.255.0.0 inside any static translation to 10.12.0.0 translate_hits = 0, untranslate_hits = 6 Additional Information: Forward Flow based lookup yields rule: out id=0xad158dc0, priority=5, domain=nat-reverse, deny=false hits=6, user_data=0xac0fb6b8, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0 Phase: 10 Type: NAT Subtype: host-limits Result: ALLOW Config: static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0 match ip ct-users 10.12.0.0 255.255.0.0 inside any static translation to 10.12.0.0 translate_hits = 0, untranslate_hits = 6 Additional Information: Reverse Flow based lookup yields rule: in id=0xada0cd38, priority=5, domain=host, deny=false hits=131, user_data=0xac0fb6b8, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=10.12.0.0, mask=255.255.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 11 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xad5c1ab0, priority=0, domain=inspect-ip-options, deny=true hits=130, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 12 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 189385494, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: inside input-status: up input-line-status: up output-interface: ct-users output-status: up output-line-status: up Action: allow
05-31-2014 01:25 PM
how are you testing? if you are pinging between the subnets, make sure you have disabled windows firewall and/or any other firewall that is installed on the PCs (remember to re-enable it later).
Are the NAT commands there because you were trying different things to get this working? I suggest you use the command no nat-control instead. Depending on the version of ASA you are running it may already be disabled by default. In version 8.4 and later nat-control has been removed completely.
--
Please remember to select a correct answer and rate helpful posts
06-01-2014 06:13 AM
I am testing by trying ping/ssh between subnets. They are both linux machines with firewalls off.
The nat commands are in there for testing. I could try removing them and trying no nat-control, howeve r will this turn off all NAT in general? Because I am using nat for other parts of the configuration.
Version is 8.2(5).
06-01-2014 06:38 AM
nat control is used to force you to use nat between ASA interfaces. When you turn off nat controll you will still be able to use nat but you are not forced to use nat when sending traffic between internal interfaces.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide