11-11-2006 08:09 AM - edited 03-09-2019 04:51 PM
I have linked my asa5520 as:
cat6(access port) -> (outside)ASA5520
cat6 (trunk port) -> (inside)-> vlan101 and vlan 102
since I need let people to see inside machines, I have used "no-nat-control"
configured asa5520 as:
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.101
vlan 101
nameif vlan101
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0.102
vlan 102
nameif vlan102
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.1.3.9 255.255.255.0
access-list outside extended permit icmp any any log
access-list outside extended permit icmp interface outside interface vlan101
access-group outside in interface outside
on the cat6, I have add static route:
ip route 10.1.1.0 255.255.255.0 10.1.3.1
ip route 10.1.2.0 255.255.255.0 10.1.3.1
Currently:
in the asa5520 box, I can ping outside any machine, but no inside any machine (10.1.1.12 or 10.1.2.12)
from outside, I can ping interface outside (10.1.3.9), not inside interface 10.1.1.1 and not inside machine 10.1.1.12
from inside machine 10.1.1.12, can not ping anything.
Please advice me what I did wrong?
Thanks in advance
Solved! Go to Solution.
11-12-2006 08:35 PM
Have you apply the "same-security-traffic permit inter-interface" command? This is to allow communication between same security interfaces (enabled by the same-security-traffic inter-interface command) provides the following benefits:
? You can configure more than 101 communicating interfaces. If you use different levels for each interface, you can configure only one interface per level (0 to 100).
? You can allow traffic to flow freely between all same security interfaces without access lists.
This is required since both of your Vlan101 and Vlan102 interfaces are set to use same security level 100:
hostname(config)# same-security-traffic permit inter-interface
hostname(config)#static (vlan101,vlan102) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
hostname(config)#static (vlan102,vlan101) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
Pls rate all useful post(s)
HTH
AK
11-12-2006 08:38 PM
Also, for a quick test, open a test ACL and apply on both Vlan 101 and Vlan102 interfaces:
ACL on Vlan 101:
access-list vlan101 permit icmp any any
access-list vlan101 permit ip any any
access-group vlan101 in interface vlan101
ACL on Vlan 102:
access-list vlan102 permit icmp any any
access-list vlan102 permit ip any any
access-group vlan102 in interface vlan102
Use the above ACLs to test ping/reachability between the two Vlans. You can remove or customize it, as per your requirement.
HTH
AK
11-11-2006 09:04 PM
From outside segment, you definitely cannot ping ASA inside interface IP (10.1.1.1 - vlan101). This is the default settings/rules of firewall. You can only ping directly connected interface to a segment where you initiate the ping.
But you should be able to ping inside host of 10.1.1.12 if you set no nat/translation. In this case, you should have something like:
static (vlan101,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
static (vlan102,outside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
The above static commands allows your outside hosts to talk to inside hosts (without any translation) using their original IPs (vlan 101 & 102).
Also, make sure all machines in Vlan101 and Vlan102 used 10.1.1.1 & 10.1.2.1 as their respective gateways.
Other than that, routing on ASA should be as follow:
route outside 0.0.0.0 0.0.0.0 10.1.3.x ---> vlan interface IP on switch-side connected to ASA outside interface/port.
On switch side, make sure the routing point to ASA outside interface IP, as follow:
ip route 10.1.1.0 255.255.255.0 10.1.3.9
ip route 10.1.2.0 255.255.255.0 10.1.3.9
*Optional - if your inside hosts (from vlan 101 or 102) still unable to access outside hosts, try adding ACL and appliy in their respective interface:
access-list vlan101-to-outside permit icmp any any
access-list vlan101-to-outside permit tcp any any
access-list vlan101-to-outside permit udp any any ---> can also use 'ip' to replace tcp & udp keyword
access-group vlan101-to-outside in interface vlan101
access-list vlan102-to-outside permit icmp any any
access-list vlan102-to-outside permit tcp any any
access-list vlan102-to-outside permit udp any any ---> can also use 'ip' to replace tcp & udp keyword
access-group vlan102-to-outside in interface vlan101
*PIX/ASA will automatically add 'extended' keyword to the ACL.
For your outside ACL, modify it to:
access-list outside-01 extended permit icmp any any log
access-list outside-01 extended permit tcp any any log
access-list outside-01 extended permit udp any any log ---> can also use 'ip' to replace tcp & udp keyword
access-group outside-01 in interface outside
For any ACLs, you can narrow access by permitting whatever necessary TCP/UDPO ports, and deny all other using 'access-list XXXX deny ip any any'
BTW, do you need to allow Vlan101 and Vlan102 to talk to each other? Use "same-security-traffic permit inter-interface" command. Add subnet static mapping between them:
static (vlan101,vlan102) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
static (vlan102,vlan101) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
HTH
AK
11-12-2006 08:20 PM
AK,
Great thanks for you help, I have succeful some of them:
I have added four static commands and now:
I can connect from outside any machine to inside PCs (10.1.1.12 and 10.1.2.12)
But, I still can not make the two inside PC talking to themself.
error:
%ASA-3-106100: Deny inbond icmp src vlan101:10.1.1.12 dst vlan102 10.1.2.12(type 8, code 0)
I have tried put:
access-list v101-to-v102 extended permit icmp any any log
access-list v101-to-v102 extended permit ip any any log
access-group v101-to-v102 in interface vlan101
and did same for vlan102, but it seems worse.
Please advice.
JX
11-12-2006 08:35 PM
Have you apply the "same-security-traffic permit inter-interface" command? This is to allow communication between same security interfaces (enabled by the same-security-traffic inter-interface command) provides the following benefits:
? You can configure more than 101 communicating interfaces. If you use different levels for each interface, you can configure only one interface per level (0 to 100).
? You can allow traffic to flow freely between all same security interfaces without access lists.
This is required since both of your Vlan101 and Vlan102 interfaces are set to use same security level 100:
hostname(config)# same-security-traffic permit inter-interface
hostname(config)#static (vlan101,vlan102) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
hostname(config)#static (vlan102,vlan101) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
Pls rate all useful post(s)
HTH
AK
11-12-2006 08:38 PM
Also, for a quick test, open a test ACL and apply on both Vlan 101 and Vlan102 interfaces:
ACL on Vlan 101:
access-list vlan101 permit icmp any any
access-list vlan101 permit ip any any
access-group vlan101 in interface vlan101
ACL on Vlan 102:
access-list vlan102 permit icmp any any
access-list vlan102 permit ip any any
access-group vlan102 in interface vlan102
Use the above ACLs to test ping/reachability between the two Vlans. You can remove or customize it, as per your requirement.
HTH
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide