Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Having issues on ASA 5510 pass traffic between interfaces

I am trying to pass traffic between two internal interfaces but am unable to.  Been searching quite a bit and have tried several things to no avail. I feel like there is a simple solution here I am just not seeing. Here is the relevant portion of my config:

 

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/2
 nameif ct-users
 security-level 100
 ip address 10.12.0.1 255.255.0.0
!
same-security-traffic permit inter-interface
!
access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.12.0.0 255.255.0.0
!
access-list inside_access_in extended permit ip any any
!
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (ct-users) 0 access-list inside_nat0_outbound
nat (ct-users) 1 0.0.0.0 0.0.0.0
!
static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
access-group inside_access_in in interface ct-users
access-group inside_access_ipv6_in in interface ct-users

On both networks I am able to access the internet, just not traffic between each other.

 

A packet-tracer reveals the following (it's hitting some weird rules on the way):

cybertron# packet-tracer input inside tcp 192.168.5.2 ssh 10.12.0.2 ssh detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab827020, priority=1, domain=permit, deny=false
hits=8628156090, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
  match ip ct-users 10.12.0.0 255.255.0.0 inside any
    static translation to 10.12.0.0
    translate_hits = 0, untranslate_hits = 6
Additional Information:
NAT divert to egress interface ct-users
Untranslate 10.12.0.0/0 to 10.12.0.0/0 using netmask 255.255.0.0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad5bec88, priority=12, domain=permit, deny=false
hits=173081, user_data=0xa8a76ac0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab829758, priority=0, domain=inspect-ip-options, deny=true
        hits=146139764, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad48c860, priority=6, domain=nat-exempt-reverse, deny=false
hits=2, user_data=0xad4b5e98, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside any ct-users 10.12.0.0 255.255.0.0
    NAT exempt
    translate_hits = 2, untranslate_hits = 2
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad3b1f70, priority=6, domain=nat-exempt, deny=false
hits=2, user_data=0xad62b7a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
  match ip inside 192.168.5.0 255.255.255.0 ct-users any
    static translation to 192.168.5.0
    translate_hits = 1, untranslate_hits = 15
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xadf7a778, priority=5, domain=nat, deny=false
hits=6, user_data=0xad80cfd0, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) udp 184.73.2.1 1514 192.168.5.2 1514 netmask 255.255.255.255
  match udp inside host 192.168.5.2 eq 1514 outside any
    static translation to 184.73.2.1/1514
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab8e2928, priority=5, domain=host, deny=false
hits=9276881, user_data=0xab8e1d20, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.5.2, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
  match ip ct-users 10.12.0.0 255.255.0.0 inside any
    static translation to 10.12.0.0
    translate_hits = 0, untranslate_hits = 6
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xad158dc0, priority=5, domain=nat-reverse, deny=false
hits=6, user_data=0xac0fb6b8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0

Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
  match ip ct-users 10.12.0.0 255.255.0.0 inside any
    static translation to 10.12.0.0
    translate_hits = 0, untranslate_hits = 6
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xada0cd38, priority=5, domain=host, deny=false
hits=131, user_data=0xac0fb6b8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.12.0.0, mask=255.255.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xad5c1ab0, priority=0, domain=inspect-ip-options, deny=true
hits=130, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 189385494, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ct-users
output-status: up
output-line-status: up
Action: allow
  • Firewalling
Everyone's tags (1)
3 REPLIES
VIP Green

how are you testing? if you

how are you testing? if you are pinging between the subnets, make sure you have disabled windows firewall and/or any other firewall that is installed on the PCs (remember to re-enable it later).

Are the NAT commands there because you were trying different things to get this working?  I suggest you use the command no nat-control instead.  Depending on the version of ASA you are running it may already be disabled by default.  In version 8.4 and later nat-control has been removed completely.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I am testing by trying ping

I am testing by trying ping/ssh between subnets.  They are both linux machines with firewalls off.

 

The nat commands are in there for testing.  I could try removing them and trying no nat-control, howeve r will this turn off all NAT in general?  Because I am using nat for other parts of the configuration.

 

Version is 8.2(5).

VIP Green

nat control is used to force

nat control is used to force you to use nat between ASA interfaces.  When you turn off nat controll you will still be able to use nat but you are not forced to use nat when sending traffic between internal interfaces.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
250
Views
0
Helpful
3
Replies