Solved: configure asa5520 help

julxu · ‎11-11-2006

I have linked my asa5520 as:

cat6(access port) -> (outside)ASA5520

cat6 (trunk port) -> (inside)-> vlan101 and vlan 102

since I need let people to see inside machines, I have used "no-nat-control"

configured asa5520 as:

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.101

vlan 101

nameif vlan101

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface GigabitEthernet0/0.102

vlan 102

nameif vlan102

security-level 100

ip address 10.1.2.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 10.1.3.9 255.255.255.0

access-list outside extended permit icmp any any log

access-list outside extended permit icmp interface outside interface vlan101

access-group outside in interface outside

on the cat6, I have add static route:

ip route 10.1.1.0 255.255.255.0 10.1.3.1

ip route 10.1.2.0 255.255.255.0 10.1.3.1

Currently:

in the asa5520 box, I can ping outside any machine, but no inside any machine (10.1.1.12 or 10.1.2.12)

from outside, I can ping interface outside (10.1.3.9), not inside interface 10.1.1.1 and not inside machine 10.1.1.12

from inside machine 10.1.1.12, can not ping anything.

Please advice me what I did wrong?

Thanks in advance

a.kiprawih · ‎11-12-2006

Have you apply the "same-security-traffic permit inter-interface" command? This is to allow communication between same security interfaces (enabled by the same-security-traffic inter-interface command) provides the following benefits:

? You can configure more than 101 communicating interfaces. If you use different levels for each interface, you can configure only one interface per level (0 to 100).

? You can allow traffic to flow freely between all same security interfaces without access lists.

This is required since both of your Vlan101 and Vlan102 interfaces are set to use same security level 100:

hostname(config)# same-security-traffic permit inter-interface

hostname(config)#static (vlan101,vlan102) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

hostname(config)#static (vlan102,vlan101) 10.1.2.0 10.1.2.0 netmask 255.255.255.0

http://www.cisco.com/en/US/customer/products/ps6120/products_command_reference_chapter09186a008063f0fb.html#wp1283601

Pls rate all useful post(s)

HTH

AK

View solution in original post

a.kiprawih · ‎11-12-2006

Also, for a quick test, open a test ACL and apply on both Vlan 101 and Vlan102 interfaces:

ACL on Vlan 101:

access-list vlan101 permit icmp any any

access-list vlan101 permit ip any any

access-group vlan101 in interface vlan101

ACL on Vlan 102:

access-list vlan102 permit icmp any any

access-list vlan102 permit ip any any

access-group vlan102 in interface vlan102

Use the above ACLs to test ping/reachability between the two Vlans. You can remove or customize it, as per your requirement.

HTH

AK

View solution in original post

a.kiprawih · ‎11-11-2006

From outside segment, you definitely cannot ping ASA inside interface IP (10.1.1.1 - vlan101). This is the default settings/rules of firewall. You can only ping directly connected interface to a segment where you initiate the ping.

But you should be able to ping inside host of 10.1.1.12 if you set no nat/translation. In this case, you should have something like:

static (vlan101,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

static (vlan102,outside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0

The above static commands allows your outside hosts to talk to inside hosts (without any translation) using their original IPs (vlan 101 & 102).

Also, make sure all machines in Vlan101 and Vlan102 used 10.1.1.1 & 10.1.2.1 as their respective gateways.

Other than that, routing on ASA should be as follow:

route outside 0.0.0.0 0.0.0.0 10.1.3.x ---> vlan interface IP on switch-side connected to ASA outside interface/port.

On switch side, make sure the routing point to ASA outside interface IP, as follow:

ip route 10.1.1.0 255.255.255.0 10.1.3.9

ip route 10.1.2.0 255.255.255.0 10.1.3.9

*Optional - if your inside hosts (from vlan 101 or 102) still unable to access outside hosts, try adding ACL and appliy in their respective interface:

access-list vlan101-to-outside permit icmp any any

access-list vlan101-to-outside permit tcp any any

access-list vlan101-to-outside permit udp any any ---> can also use 'ip' to replace tcp & udp keyword

access-group vlan101-to-outside in interface vlan101

access-list vlan102-to-outside permit icmp any any

access-list vlan102-to-outside permit tcp any any

access-list vlan102-to-outside permit udp any any ---> can also use 'ip' to replace tcp & udp keyword

access-group vlan102-to-outside in interface vlan101

*PIX/ASA will automatically add 'extended' keyword to the ACL.

For your outside ACL, modify it to:

access-list outside-01 extended permit icmp any any log

access-list outside-01 extended permit tcp any any log

access-list outside-01 extended permit udp any any log ---> can also use 'ip' to replace tcp & udp keyword

access-group outside-01 in interface outside

For any ACLs, you can narrow access by permitting whatever necessary TCP/UDPO ports, and deny all other using 'access-list XXXX deny ip any any'

BTW, do you need to allow Vlan101 and Vlan102 to talk to each other? Use "same-security-traffic permit inter-interface" command. Add subnet static mapping between them:

static (vlan101,vlan102) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

static (vlan102,vlan101) 10.1.2.0 10.1.2.0 netmask 255.255.255.0

http://www.cisco.com/en/US/partner/products/ps6120/products_command_reference_chapter09186a00805fb9eb.html

HTH

AK

julxu · ‎11-12-2006

AK,

Great thanks for you help, I have succeful some of them:

I have added four static commands and now:

I can connect from outside any machine to inside PCs (10.1.1.12 and 10.1.2.12)

But, I still can not make the two inside PC talking to themself.

error:

%ASA-3-106100: Deny inbond icmp src vlan101:10.1.1.12 dst vlan102 10.1.2.12(type 8, code 0)

I have tried put:

access-list v101-to-v102 extended permit icmp any any log

access-list v101-to-v102 extended permit ip any any log

access-group v101-to-v102 in interface vlan101

and did same for vlan102, but it seems worse.

Please advice.

JX

a.kiprawih · ‎11-12-2006