Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

No traffic from Outside1 (Security level 100) attached Networks to DMZ and Viceversa

I have an ASA5510, i configured an Outside, 1 DMZ and 2 interfaces 100 security level (Outside1 and Inside). I can ping and have fluid traffic between DMZ and Inside interface, but don't have any kind of traffic between DMZ and the Outside1. I wrote the same configuration for both 100 Security Level interfaces. Also I have connected a Cisco 892 router to Outside1. When i have attached a computer instead of 892, traffic between Outside1 and DMZ is fluid. i need to have fluid traffic between networks connected to 892

Someone can help me? Here are the 2 configs:

ASA5510:

: Saved

:

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name a.b.c

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address x.y.z.162 255.255.255.248

!

interface Ethernet0/1

 nameif Outside1

 security-level 100

 ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

 nameif DMZ

 security-level 10

 ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

 nameif Inside

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit tcp host 172.16.31.2 any eq domain

access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp

access-list dmz_in extended permit tcp host 172.16.31.2 any eq www

access-list dmz_in extended permit tcp host 172.16.31.2 any eq https

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host x.y.z.163 eq smtp

access-list 100 extended permit udp any host x.y.z.163 eq domain

access-list 100 extended permit tcp any host x.y.z.163 eq https

access-list 100 extended permit tcp any host x.y.z.163 eq www

access-list 100 extended permit tcp any host x.y.z.163 eq 3000

access-list 100 extended permit tcp any host x.y.z.163 eq 1000

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 192.168.0.22 Outside

icmp permit 192.168.0.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Outside1

icmp permit 172.16.31.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 DMZ

icmp permit 192.168.2.0 255.255.255.0 Inside

icmp permit 192.168.0.0 255.255.255.0 Inside

icmp permit 172.16.31.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Outside1) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) x.y.z.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Outside1,Inside) 172.1.1.0 172.1.1.0 netmask 255.255.255.0

static (DMZ,Outside1) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Outside1,Inside) 172.1.2.0 172.1.2.0 netmask 255.255.255.0

static (Outside1,Inside) 172.1.3.0 172.1.3.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (Outside1,DMZ) 172.1.1.0 172.1.1.0 netmask 255.255.255.0

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 x.y.z.161 20

route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1

route Outside1 172.1.2.0 255.255.255.0 192.168.2.2 1

route Outside1 172.1.3.0 255.255.255.0 192.168.2.2 1

route Outside1 192.1.0.0 255.255.192.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7441424d1fcf87c3eb837b569e84aa9e

: end

Cisco 892:

Current configuration : 3296 bytes
!
! Last configuration change at 01:15:13 UTC Tue Apr 29 2014 by eguerra
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterHQFCH
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 
!
no aaa new-model
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-1580540949
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1580540949
 revocation-check none
 rsakeypair TP-self-signed-1580540949
!
!
crypto pki certificate chain TP-self-signed-1580540949
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31353830 35343039 3439301E 170D3134 30343134 31393433
  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35383035
  34303934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BC61 7D5F7F47 65203EC9 1207B83F 19EC7AC3 00404F99 A89FD64B 1F0F659F
  E99062C2 3BB1E517 075BAF59 D361FFC9 4F872A14 A7528061 CF936F40 D03F234B
  5641147F D2B4AB7D 9E10F36A 087F511B F68ABC6E 98F96C74 8EF5084B F490D91B
  0EC05671 D8C5B7DD EE8F48C2 CD76F7C9 B8405DD6 42375B3C 8D04FDEF 555D0FA0
  0FDF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14FCB587 54EE2C1B 2B6DB648 A6FC0ECF 85062C8F 6A301D06
  03551D0E 04160414 FCB58754 EE2C1B2B 6DB648A6 FC0ECF85 062C8F6A 300D0609
  2A864886 F70D0101 05050003 81810033 A196E361 A273E890 146EF605 D7AB9235
  52BA28F8 A526D8AE CD903257 E4E81C76 C85FBCD4 201DFF90 11FB1617 9210037E
  B66299B3 FB2173D2 AFEC9B52 D2221BEA 9B8CC180 BE36F3AB D5811F9F 401043B0
  4BDA8647 897D8FE7 6D753C4F 3C76A493 2C260C22 24E966EB BEE54A2A 51D58F21
  23080B9D 9C5FD690 62C6B0C9 30C3AA
        quit
license udi pid C892FSP-K9 sn FTX180484TB
!
!
username servicios privilege 15 password 7 
username eguerra privilege 15 password 7 
!
!
!
!
!
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 switchport access vlan 2
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 ip address 172.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet9
 ip address 172.1.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.2.2 255.255.255.0
!
interface Vlan2
 ip address 192.168.100.200 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip route 172.16.31.0 255.255.255.0 192.168.2.1
ip route 192.168.0.0 255.255.255.0 192.168.2.1
!
!
!
control-plane
!
!
!
line con 0
 password 7 
 login
 no modem enable
line aux 0
line vty 0 4
 password 7 
 login local
 transport input all
!
scheduler allocate 20000 1000
!
end

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

FYI, we got this working!

FYI, we got this working!

 

Please mark this as answered please!

Value our effort and rate the assistance!
15 REPLIES
Hall of Fame Super Silver

The routes on the ASA that

The routes on the ASA that use Outside1  are set to your router's VLAN1 address at 192.168.2.2. Can you confirm that you can ping that address when your ASA is connected to the router?

New Member

When I add the following line

When I add the following line in 892 i can ping from ASA:

access-list 101 permit ip any any

 

 

Silver

So, my question would be, why

So, my question would be, why are you configuring same security traffic interfaces? What are you trying to accomplish?

Value our effort and rate the assistance!
New Member

Well, Outside1 will be

Well, Outside1 will be connected to our branch offices. Those offices will be connected by Antennas and Optical Fiber. Those branch offices must connect just to Inside and DMZ, cannot use Internet

Silver

If it's a branch office then

If it's a branch office then I guess that it would be best to actually maintain a security level lower than inside and then filter via ACL to witch address your branch office should access.

 

Suggestion: Security level 95 and specify corresponding NAT or NAT exemptions needed.

 

If you need help setting this up please let me know.

Value our effort and rate the assistance!
New Member

Yes Jumora, i will need help

Yes Jumora, i will need help on this

Silver

If you can give me details I

If you can give me details I can help you out. If you feel that posting directly on the forum might not be the best then just email me and I can look a what you are trying to accomplish.

 

FYI: I work at Cisco

Value our effort and rate the assistance!
New Member

Doesn't matter if use this

Doesn't matter if use this post. Info can be sueful for other users

Silver

Not if you can't post the

Not if you can't post the information, see forums are mostly used to ask questions without having to print out network details, but if it's not confidential information then please go ahead and post.

Value our effort and rate the assistance!
New Member

Jumora, I don't see any

Jumora, I don't see any confidential info, but if you want, can write me to rrhhempservit@gmail.com

Silver

Maybe I did not understand

Maybe I did not understand what you are trying to accomplish. What I mentioned was to make your ACL configuration better, meaning more secure. Changing the security level just helps understand that you are not coming from a site that does not require ACLs, thus from lower to higher security interfaces you need to place ACLs, then there is a hole other world regarding NAT/PAT that involve same security interfaces that sometimes confuse customers so I also wanted to avoid that for you.

To enforce security between interfaces you need to know what protocols and ports are being used by servers that reside behind the higher security interface so you only open what is needed then block the rest to that higher security interface.

Value our effort and rate the assistance!
New Member

Jumora, i understood what you

Jumora, i understood what you are trying to do. You will help me to secure this infrastructure and help me correcting problems i have. I am agree with things you are trying to do. Please give me your email and i will write ASAP. 

 

Thanks in advance

New Member

Jumora, are you connected?, I

Jumora, are you connected?, I've already sent email

Silver

FYI, we got this working!

FYI, we got this working!

 

Please mark this as answered please!

Value our effort and rate the assistance!
Silver

Email me at jumora@cisco.com

Email me at jumora@cisco.com

Value our effort and rate the assistance!
279
Views
0
Helpful
15
Replies
CreatePlease to create content