03-21-2012 11:00 AM - edited 03-07-2019 05:42 AM
I know this is a pretty typical way to start this off but I am a bit of a newbie with VLANs and Cisco equipment. I am attempting to setup a communication between 2 VLANs. This setup is between two seperate medical practices Client1 who I have access to and Client2 which is not managed by be. I have access to only one of the practice's equipment. I have physically attached a cable from thier switch to my ASA in an attempt to get access to a shared server on Client2's network. I have created a VLAN called dmz to allow access from Client1 to the Client2. So far I am able to access the server from Client1 but I need to enable bi-directional access from Client2 to Client1's network. Namely to enable the ability for the server at Client2 to contact a printer on Client1's network. I have a visio that I have attached and the show run is also attached.
Can anyone point me in the right direction?
Solved! Go to Solution.
03-21-2012 01:35 PM
access-list NAT-TO-OUTSIDE extended deny ip 192.168.51.0 255.255.255.0 192.168.50.0 255.255.255.0
03-21-2012 11:08 AM
Hi ,
As I saw in the config you do not want NAT, so the easy way :
no nat-control
This will disable the requirement to nat the inside source flows, with out identity nat
Regards
Dan
03-21-2012 11:18 AM
Dan,
thanks for the reply nut when I issued that command it didn't change the situation.
the way I am testing this is I have a machine that I am remotely connected to at each client site. At Client2, who I do not have access to thier firewall, I have added a static route on the PC to route all traffic for 192.168.51.0/24 to the dmz vlan IP on my ASA.
I am still able to ping the machine on client2's network FROM client1 but not vice versa.
thanks for your help.
Micah
03-21-2012 11:24 AM
Hi Micah ,
The thing is that for example the Med Manager Server has to have a route for the 192.168.51.0/24 to 192.168.50.217 , which is the ASA FW. I suppose that there is no Layer 3 equipment in vlan 12 besides the 2 firewalls .
Regards
Dan
03-21-2012 11:28 AM
I can bet that your ping works from .192.168.51.0 to 192.168.50.0 . Why ?
You have nat in place
global (dmz) 2 interface
nat (inside) 2 access-list inside_nat_outbound
And all the traffic from 192.168.51.0 is snated to the ASA interface IP.
Regards
Dan
03-21-2012 11:40 AM
Correct, so if I remove the NAT and ensure that I have a route added on the 192.168.50.0 machines to point to 192.168.50.217 I should be able to get bi-directional traffic?
03-21-2012 11:49 AM
Yes, you are correct.
You will be able to have bidirectional traffic also using static nat : each 192.168.51.0 host will have a 192.168.50.x address.
As an example : static (inside,dmz) 192.168.50.50 192.168.51.51
The 192.168.50.x hosts can communicate with 192.168.51.51 using 192.168.50.50 destination address.
First solution : it's simpler , but you have to add the route on the hosts
Second solution : depends on how many addresses are used int 192.168.50.x and how many hosts are int 192.168.51. that need to talk with the other client.
Dan
03-21-2012 11:53 AM
What specific commands do need to run to remove NAT only on the traffic between the inside and the dmz network? I don't want to remove NAT between inside and outside.
03-21-2012 11:44 AM
Keep in mind that I do need to NAT traffic coming from the inside interface to the outside interface.
03-21-2012 11:45 AM
Also, you are correct. I only have the layer 2 switches and the firewall. No other equipment.
03-21-2012 11:54 AM
Ok, then:
no nat-control
no global (dmz) 2 interface
no nat (inside) 2 access-list inside_nat_outbound
+
route 192.168.51.0/24 -> 192.168.50.217
Furthermore if you do not need to nat anything you can delete all nat & global config.
Regards
Dan
03-21-2012 12:19 PM
Okay, I removed those lines from the config and now I am not able to ping from either side. I also removed these lines:
nat (dmz) 0 access-list dmz_nat0_outbound
access-list dmz_nat0_outbound extended permit ip any any
but it didn't help, currently with those lines removed I no longer have traffic from either side. Any thoughts?
here is the current config with those lines removed. Do I have to make changes to the access-lists as well?
: Saved
:
ASA Version 8.2(5)
!
hostname TEXASVOICE
names
name 192.168.50.4 NETMEN
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.51.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.25.10.31 255.255.255.0
!
interface Vlan12
no forward interface Vlan2
nameif dmz
security-level 100
ip address 192.168.50.217 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit tcp 10.1.100.0 255.255.255.0 192.168.51.0 255.255.255.0 eq 9100
access-list outside_access_in extended permit tcp 10.1.100.0 255.255.255.0 192.168.51.0 255.255.255.0 eq lpd
access-list DATACENTER-VPN extended permit ip 192.168.51.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list nonatvpn extended permit ip 192.168.51.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list inside_nat_outbound extended permit ip any 192.168.50.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list dmz_access_out extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonatvpn
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz
route outside 0.0.0.0 0.0.0.0 172.25.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address DATACENTER-VPN
crypto map outside_map 1 set peer 69.39.160.194
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 10.110.12.8 10.120.62.15
dhcpd auto_config outside
!
dhcpd address 192.168.51.100-192.168.51.199 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 69.39.160.194 type ipsec-l2l
tunnel-group 69.39.160.194 ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6addb3d103a9d829f96d5a1fa9b7ffad
: end
03-21-2012 12:23 PM
Hi ,
You have to add a route on the 192.168.50.x hosts for the 192.168.51.0/24 prefix toward the ASA interface 192.168.50.217. did you add this route ?
Regards
Dan
03-21-2012 12:26 PM
Yes, I have had that added for a while. I thought that was going to be the only hurdle.
Prior to these changes I was able to access the whole 192.168.50.x network from the 192.168.51.x network. Now I am not able to access anything from either network.
03-21-2012 12:36 PM
You will have to add this route on the 192.168.50.x host.
I suppose that the 192.168.50 host has a default route to the Juniper firewall , so all the packets outside 192.168.50.0 host - this includes 192.168.51.0 - will be forwarded to the Juniper. In order to communicate through the ASA , you must add a route for 192.168.51.0 255.255.255.0 to 192.168.50.217
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: