cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2196
Views
0
Helpful
2
Replies

ASA 5520 Config same-security-level Problem

pgatt62polly66
Level 1
Level 1

Hi All

I thought that putting an ip address on the outside interface,the inside  secure interfaces, a default route to the outside interface, a couple of  NAT statements was all that was needed to get an ASA 5520 working. And that was basically all that was asked.
Like  a lot of other stuff that I'm sure you've seen before, more and more requests were added to the original remit to which I thought, OK, I  know my way round this to a certain degree and I'm sure that I'll work  out something or find a way round it using all the available stuff from  Cisco and the web.( I've got a CCNP Switch exam under my belt,working on  the rest, and a CCNA Security and Wireless and Field Engineer  qualifications, so to a degree consider myself quite knowledgable. So I  thought)
Anyway, the more I tried to fix the problem the worse it  became. I'm not convinced that its too complicated but the solution is  still eluding me.
What I tried to configure was a system  with two  seperate inside networks for Data and Voice protected by a ASA 5520  which acts as a router and sole access to the outside world for both of these inside networks but also as  device that would point to other connected legacy networks attached  to a  Nortel switch located somewhere deep in the system, which are ear-marked for migration to the ASA 5520 once the Nortel switch has been  decommissioned, and some deny statements for email smtp port 25.
After  setting up and proving internet access for both inside networks G0/1  and G0/2 it was discoverd that a ping could not ping from either inside  network to the other and likewise to the outside G0/0 interface although  internet access was still available. I put an icmp inspect command into  the global policy but this didn't work so did a kind of Static NAT/ip  route fudge that seemed to sort the ping problem out. However when  adding commands for VPN tunnels I lost the ping functionality.
This  is where after trying to work out a solution for over an hour I started  grasping at straws, which may explain some commands in my config that  don't make any sense. I just couldn't see where I had went wrong.
Anyway,  the customer is content enough with firewall protected internet access  but its not sitting well with me professionally that I've not provided  them with all that they asked for.
My config now as it stands has  probably a few commands that shouldn't be there and undoubtedly some  that should, but I fear I'm now a bit out of my depth.
Ignoring the  routes to the other networks via the Nortel switch, what I ultimately  need and I know this asking a lot, is for someone  to take my  configuration, correct it and let me see where I've gone wrong. Many thanks

******************************************************************************************************************

:
ASA  Version 8.2(1)
!
hostname ISC-EDI-ASWFW
domain-name  iscinternal.com
enable password DVYtjzRh.k2l3Eyj encrypted
passwd  2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif  outside
security-level 0
ip address XX.XX.XX.154  255.255.255.248
!
interface GigabitEthernet0/1
speed 100
duplex  full
nameif inside1
security-level 100
ip address  172.24.19.252 255.255.252.0
!
interface GigabitEthernet0/2
speed  100
duplex full
nameif inside2
security-level 100
ip  address 172.24.23.254 255.255.252.0
!
interface  GigabitEthernet0/3
shutdown
no nameif
no security-level
no  ip address
!
interface Management0/0
nameif management
security-level  100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp  mode passive
dns domain-lookup inside1
dns domain-lookup inside2
dns  domain-lookup outside
dns server-group DefaultDNS
name-server  172.24.16.2
name-server 172.24.0.10
name-server XX.XX.XX.6
domain-name  iscinternal.com
same-security-traffic permit inter-interface
same-security-traffic  permit intra-interface
access-list VPN-NONAT extended permit ip  172.24.16.0 255.255.252.0 192.168.10.0 255.255.255.0
access-list  VPN-NONAT extended permit ip 172.24.16.0 255.255.252.0 172.24.8.0  255.255.252.0
access-list VPN-NONAT extended permit ip 172.24.16.0  255.255.252.0 172.24.20.0 255.255.252.0
access-list VPN-NONAT  extended permit ip 172.24.20.0 255.255.252.0 172.24.16.0 255.255.252.0
access-list  EDI-BRUSS extended permit ip 172.24.16.0 255.255.252.0 172.24.8.0  255.255.252.0
pager lines 24
logging enable
logging timestamp
logging  buffer-size 16384
logging monitor notifications
logging trap  errors
logging asdm informational
logging host inside1 172.24.16.2
mtu  management 1500
mtu inside1 1500
mtu inside2 1500
mtu outside  1500
ip local pool VPN-POOL 192.168.10.1-192.168.10.50 mask  255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size  1
icmp permit 172.24.20.0 255.255.252.0 inside1
icmp permit  172.24.16.0 255.255.252.0 inside2
no asdm history enable
arp  timeout 14400
global (outside) 1 interface
nat (inside1) 0  access-list VPN-NONAT
nat (inside1) 1 0.0.0.0 0.0.0.0
nat  (inside2) 0 access-list VPN-NONAT
nat (inside2) 1 0.0.0.0 0.0.0.0
route  outside 0.0.0.0 0.0.0.0 XX.XX.XX.153 1
route inside1 172.24.0.0  255.255.252.0 172.24.19.254 1
timeout xlate 3:00:00
timeout conn  1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc  0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout  sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout  sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout  tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record  DfltAccessPolicy
aaa-server ACCESS-SRVR protocol radius
aaa-server  ACCESS-SRVR (inside1) host 172.24.16.2
key Fountain42!
aaa  authentication serial console ACCESS-SRVR LOCAL
aaa authentication  ssh console ACCESS-SRVR LOCAL
aaa authentication enable console  ACCESS-SRVR LOCAL
http server enable
http 192.168.1.0  255.255.255.0 management
http 172.24.16.0 255.255.252.0 inside1
http  172.24.20.0 255.255.252.0 inside2
http redirect outside 80
no  snmp-server location
no snmp-server contact
snmp-server enable  traps snmp authentication linkup linkdown coldstart
crypto ipsec  transform-set VPN-TRSET esp-3des esp-sha-hmac
crypto ipsec  security-association lifetime seconds 28800
crypto ipsec  security-association lifetime kilobytes 4608000
crypto map EDI-BRUSS  10 match address EDI-BRUSS
crypto map EDI-BRUSS 10 set pfs
crypto  map EDI-BRUSS 10 set peer XX.XX.XX.18
crypto map EDI-BRUSS 10 set  transform-set VPN-TRSET
crypto map EDI-BRUSS 10 set  security-association lifetime seconds 25200
crypto map EDI-BRUSS  interface outside
crypto isakmp identity address
crypto isakmp  enable outside
crypto isakmp policy 10
authentication pre-share
encryption  3des
hash sha
group 2
lifetime 25200
telnet timeout 5
ssh  172.24.16.0 255.255.252.0 inside1
ssh 172.24.20.0 255.255.252.0  inside2
ssh timeout 5
console timeout 0
dhcpd address  192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection  basic-threat
threat-detection statistics access-list
no  threat-detection statistics tcp-intercept
ntp server 62.206.250.163  source outside
webvpn
enable outside
svc image  disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list  enable
group-policy ANYCONNECT-POLICY internal
group-policy  ANYCONNECT-POLICY attributes
dns-server value 172.24.16.2  172.24.0.10
vpn-tunnel-protocol svc webvpn
webvpn
  svc  keep-installer installed
  svc ask enable default svc timeout 20
username  admin password we1JsUwd6pW4pQ2W encrypted
username dancoop password  NFAr6PJhZEifx4Wo encrypted
username dancoop attributes
service-type  remote-access
tunnel-group telecommuters type remote-access
tunnel-group  TELECOMMUTERS type remote-access
tunnel-group TELECOMMUTERS  general-attributes
address-pool VPN-POOL
default-group-policy  ANYCONNECT-POLICY
tunnel-group TELECOMMUTERS webvpn-attributes
group-alias  sslgroup-users enable
tunnel-group XX.XX.XX.18 type ipsec-l2l
tunnel-group  XX.XX.XX18 ipsec-attributes
pre-shared-key *
!
class-map  inspection_default
match default-inspection-traffic
!
!
policy-map  type inspect dns preset_dns_map
parameters
  message-length  maximum 512
policy-map global_policy
class inspection_default
  inspect  dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect  h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect  sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect  sip 
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy  global_policy global
prompt hostname context
Cryptochecksum:c410cd0af890f5fb81df2852aea8f4fb
:  end
no asdm history enable

2 Replies 2

wayneshum80
Level 1
Level 1

Once the ASA has dynamic NAT enabled to an outside interface, routing between same security level will not work.

You need to add route exempt the inside interfaces to all private subnet.

Thanks for that Wayne I'll check that out in the lab and look uo route exempt commands.

I don't get much hands on with ASAs, cheers

Pat

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco