Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

New to Cisco devices - help with ASA-5510 routing

I am new to using Cisco firewalls. I have an ASA-5510 with a truncated Catalyst-3560 switch. I believe I have the trunk setup correctly and I created VLANs in the switch. Through the ASDM, I created the subinterfaces for each VLAN on the ASA. Now I am trying to get traffic to flow between the VLANs. I have read about security levels and assigned the levels such that the most trusted have the highest level (100). VLANs which need to talk to each other, I kept at the same security level.

On one of the higher trusted interfaces, I have a SysLog server. This computer needs access to the other VLANs in order to query and inspect logs and traffic. How do I give that VLAN/Interface access to the others? Is it inherant because of the higher security level? I believe I need to setup NAT, but not sure how to just allow open access (for now).

Thanks in advance!

Jayesh

  • Firewalling
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: New to Cisco devices - help with ASA-5510 routing

in the asdm you will have a tool called packet tracer could you please run that for traffic from server ip to client ip and paste the results it iwll tell wh

r the traffic is getting dropped

15 REPLIES
Cisco Employee

Re: New to Cisco devices - help with ASA-5510 routing

If you are not applying an ACL on the high security interface, then by default the ASA will allow traffic to lower security interfaces.

NATting would be your next step. Make sure if you don't nat the host, that there is a route back to it for the return traffic through the ASA.

I hope it helps.

PK

New Member

Re: New to Cisco devices - help with ASA-5510 routing

I posted a follow up to another user's response. I realized that you probably

don't get the notification. Here's my follow up question:

Thanks for the swift replies. Here's what I have, but not sure it is working:

* Server on VLAN 104 with security level of 100    [ip 192.168.10.10]

* Client PC on VLAN 111 with security level of 20 [ip 192.168.129.89]

* NAT translation for server-vlan to client-vlan allowing any on server-vlan to use PAT for 192.168.129.20

* Specific ACL for client PC (192.168.129.89) to get to server (192.168.10.10) allowing ALL ICMP traffic

I am trying to test my setup by pinging client from the server, but to no avail. I am missing something, I am sure.

--Jayesh

Cisco Employee

Re: New to Cisco devices - help with ASA-5510 routing

you need to enable

same-security-tr permit inter-interface

same-security-tr permit intra-interface

if between diff sec levels enable nat for traffivc from high sec level to low

if you do not want to setup nat use nat exemption on the higher sec level interface and define traffic from high sec level to low sec level in the acl for nat exempt

New Member

Re: New to Cisco devices - help with ASA-5510 routing

Thanks for the swift replies. Here's what I have, but not sure it is working:

* Server on VLAN 104 with security level of 100    [ip 192.168.10.10]

* Client PC on VLAN 111 with security level of 20 [ip 192.168.129.89]

* NAT translation for server-vlan to client-vlan allowing any on server-vlan to use PAT for 192.168.129.20

* Specific ACL for client PC (192.168.129.89) to get to server (192.168.10.10) allowing ALL ICMP traffic

I am trying to test my setup by pinging client from the server, but to no avail. I am missing something, I am sure.

--Jayesh

Cisco Employee

Re: New to Cisco devices - help with ASA-5510 routing

disable firewall on client

first see if you can ping the client from the firewall

New Member

Re: New to Cisco devices - help with ASA-5510 routing

I am able to ping the client using the Ping utility on the ASDM and specifying the client interface.

I am fairly certain that the client machine is not using a firewall.

Cisco Employee

Re: New to Cisco devices - help with ASA-5510 routing

in the asdm you will have a tool called packet tracer could you please run that for traffic from server ip to client ip and paste the results it iwll tell wh

r the traffic is getting dropped

New Member

Re: New to Cisco devices - help with ASA-5510 routing

I had to first update the ASA/ASDM software. That is now done and I ran the Packet Tracer. I attached pictures and it doesn't show any problems for the 'echo' and 'echo-reply' packets to get through. However, when I run 'ping' from a command line on the server, there is no response.

Thoughts? Thanks.

--Jayesh

New Member

Re: New to Cisco devices - help with ASA-5510 routing

Can you attach your current ASA configuration? 

1441
Views
0
Helpful
15
Replies