Cisco ASA 5505 interfaces, routing and licenses
Seems like the 5505 have a basic license.
Company A has a 5505 and is supposed to get access to company B file server behind Company B firewall. Company B has fileserver 192.168.16.2 and has set up a gateway 192.168.17.1 on it's own interface. I have nothing to do with company B or they're setup.
Company A, my responsibility, 5505 setup:
LAN 192.168.1.0/24
WAN static IP
The third interface cannot be fully functional, and the default block to LAN on the DMZ cannot be changed while the interface is there. I deleted the DMZ interface and made a new one with "Block to outside" so that the new interface should be able to communicate with the 5505 LAN.
The company-B-name-interface is setup with permit ip any any for testing purposes. It should all be open. Routing is set up for 192.168.16.2 to use gateway 192.168.17.1.
I can ping 192.168.16.2 on the company a 5505 picking the company-b interface. If I use packet trace everything comes up ok and is then stopped by the default company-b-interface access control drop any any ip. As the permit ip any any is listed before drop I find this weird.
Is it not possible to permit traffic between the third interface and local network even if removing access to the outside interface?
Do I have to buy another license for the 5505?
Company A has a 5505 and is supposed to get access to company B file server behind Company B firewall. Company B has fileserver 192.168.16.2 and has set up a gateway 192.168.17.1 on it's own interface. I have nothing to do with company B or they're setup.
Company A, my responsibility, 5505 setup:
LAN 192.168.1.0/24
WAN static IP
The third interface cannot be fully functional, and the default block to LAN on the DMZ cannot be changed while the interface is there. I deleted the DMZ interface and made a new one with "Block to outside" so that the new interface should be able to communicate with the 5505 LAN.
The company-B-name-interface is setup with permit ip any any for testing purposes. It should all be open. Routing is set up for 192.168.16.2 to use gateway 192.168.17.1.
I can ping 192.168.16.2 on the company a 5505 picking the company-b interface. If I use packet trace everything comes up ok and is then stopped by the default company-b-interface access control drop any any ip. As the permit ip any any is listed before drop I find this weird.
Is it not possible to permit traffic between the third interface and local network even if removing access to the outside interface?
Do I have to buy another license for the 5505?
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.202 255.255.255.248
!
interface Vlan13
no forward interface Vlan2
nameif CompanyB
security-level 50
ip address 192.168.17.254 255.255.255.0
access-list CompanyB_access_in extended permit ip any any
ASKER
Well, sorry if I am unclear. The vlan set up for connection to company b does only need to communicate with the inside vlan. So, that's one zone communicating with one zone. I can, however, not make this work.
The question is, is this supposed to work, or is it default blocked towards inside vlan and cannot be removed? After deleting the dmz entry and creating a new the company b vlan is now, as stated earlier, blocked to outside. While creating the new interface it's possible to pick either blocking to outside or blocking to inside from the third interface.
This is regarding what you are talking about from my first post:
The third interface cannot be fully functional, and the default block to LAN on the DMZ cannot be changed while the interface is there. I deleted the DMZ interface and made a new one with "Block to outside" so that the new interface should be able to communicate with the 5505 LAN.
The question is, is this supposed to work, or is it default blocked towards inside vlan and cannot be removed? After deleting the dmz entry and creating a new the company b vlan is now, as stated earlier, blocked to outside. While creating the new interface it's possible to pick either blocking to outside or blocking to inside from the third interface.
This is regarding what you are talking about from my first post:
The third interface cannot be fully functional, and the default block to LAN on the DMZ cannot be changed while the interface is there. I deleted the DMZ interface and made a new one with "Block to outside" so that the new interface should be able to communicate with the 5505 LAN.
Makes sence now thank you for clarification.
I assume you are using NAT from communication from inside to outside?
Would you be willing to post the config?
Regards,
3nerds
I assume you are using NAT from communication from inside to outside?
Would you be willing to post the config?
Regards,
3nerds
ASKER
I have to admit that I'm new to Cisco, and the license issue wasn't expected. As stated earlier, if I check connection from inside vlan to company b vlan using packet trace it's all ok until the last point, access control. It stop on the implicit deny ip any any rule on the companyb interface even though I've added a permit ip any any..
hostname ciscoasa
domain-name x.local
x
x
names
x
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.152.202 255.255.255.248
!
interface Vlan13
no forward interface Vlan2
nameif L2net
security-level 50
ip address 192.168.17.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 13
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name x.local
same-security-traffic permit inter-interface
object-group network SoftScan
description Spamfilter
network-object host 194.192.15.190
network-object host 213.150.52.217
network-object host 80.237.207.26
access-list 101 extended permit tcp any host x.152.203 eq https
access-list outside_access_in remark Exchange server
access-list outside_access_in extended permit tcp object-group SoftScan host x.152.203 eq smtp
access-list outside_access_in extended permit tcp any host x.152.203 eq https
access-list OGAVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list OGA_splitTunnelAcl standard permit any
access-list CompanyB_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu L2net 1500
ip local pool BPNpool 192.168.1.100-192.168.1.12
ip local pool Default 192.168.2.100-192.168.2.13
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.152.203 192.168.1.200 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group L2net_access_in in interface L2net
route outside 0.0.0.0 0.0.0.0 x.152.201 1
route L2net 192.168.16.2 255.255.255.255 192.168.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http Saga_telnet_testing 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.1.200 195.159.0.100 interface inside
dhcpd enable inside
!
group-policy Standard internal
group-policy Standard attributes
dns-server value 192.168.1.200 195.159.0.100
vpn-tunnel-protocol IPSec
default-domain value x.local
group-policy OGA_2 internal
group-policy OGA_2 attributes
dns-server value 192.168.1.200
vpn-tunnel-protocol IPSec
x
vpn-group-policy Standard
tunnel-group OGA type ipsec-ra
tunnel-group OGA general-attributes
address-pool Default
default-group-policy OGA_2
tunnel-group OGA ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
hostname ciscoasa
domain-name x.local
x
x
names
x
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.152.202 255.255.255.248
!
interface Vlan13
no forward interface Vlan2
nameif L2net
security-level 50
ip address 192.168.17.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 13
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name x.local
same-security-traffic permit inter-interface
object-group network SoftScan
description Spamfilter
network-object host 194.192.15.190
network-object host 213.150.52.217
network-object host 80.237.207.26
access-list 101 extended permit tcp any host x.152.203 eq https
access-list outside_access_in remark Exchange server
access-list outside_access_in extended permit tcp object-group SoftScan host x.152.203 eq smtp
access-list outside_access_in extended permit tcp any host x.152.203 eq https
access-list OGAVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list OGA_splitTunnelAcl standard permit any
access-list CompanyB_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu L2net 1500
ip local pool BPNpool 192.168.1.100-192.168.1.12
ip local pool Default 192.168.2.100-192.168.2.13
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.152.203 192.168.1.200 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group L2net_access_in in interface L2net
route outside 0.0.0.0 0.0.0.0 x.152.201 1
route L2net 192.168.16.2 255.255.255.255 192.168.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http Saga_telnet_testing 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.1.200 195.159.0.100 interface inside
dhcpd enable inside
!
group-policy Standard internal
group-policy Standard attributes
dns-server value 192.168.1.200 195.159.0.100
vpn-tunnel-protocol IPSec
default-domain value x.local
group-policy OGA_2 internal
group-policy OGA_2 attributes
dns-server value 192.168.1.200
vpn-tunnel-protocol IPSec
x
vpn-group-policy Standard
tunnel-group OGA type ipsec-ra
tunnel-group OGA general-attributes
address-pool Default
default-group-policy OGA_2
tunnel-group OGA ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
You have no mappings for traffic from dmz to inside.
By default traffic from the inside to the DMZ will flow because the inside has a higher security level then the dmz but for the dmz to access the inside you will have to add static translations to go along with your acl's.
if you don't need the security of a lower security level as you have it now you could up the value to 100 and and let same-security-traffic permit inter-interface take care of passing the traffic.
At this point your solution will depend on what security you need to have in place between you and company b.
Good Luck,
3nerds
By default traffic from the inside to the DMZ will flow because the inside has a higher security level then the dmz but for the dmz to access the inside you will have to add static translations to go along with your acl's.
if you don't need the security of a lower security level as you have it now you could up the value to 100 and and let same-security-traffic permit inter-interface take care of passing the traffic.
At this point your solution will depend on what security you need to have in place between you and company b.
Good Luck,
3nerds
ASKER
Well it was 100, but didn't work out. I changed it back and tried something else. The output from show config there is kind of between setups as I had sort of given up.
Setting 100 and allow traffic between interfaces with the same security level doesn't help. It's still stopped at the same access control entry as before. What else do I need to edit?
Inside vlan will always initiate contact as company b are not supposed to access company a network. The requiered security is set up at company b firewall, so I don't plan to bother much with that. At least make it work first, and then maybe tighten security.
Setting 100 and allow traffic between interfaces with the same security level doesn't help. It's still stopped at the same access control entry as before. What else do I need to edit?
Inside vlan will always initiate contact as company b are not supposed to access company a network. The requiered security is set up at company b firewall, so I don't plan to bother much with that. At least make it work first, and then maybe tighten security.
For testing you might want to plug a pc into the dmz port and assign it the 192.168.17.1 address, if you can get traffic to it you can get it to the other side.
Then test the following:
Make sure the firewall is off on the PC
1. Ping from the asa dmz interface to the PC at .1
2. Attempt to ping from 192.168.1.x to 17.1
Let me know the results.
3nerds
Then test the following:
Make sure the firewall is off on the PC
1. Ping from the asa dmz interface to the PC at .1
2. Attempt to ping from 192.168.1.x to 17.1
Let me know the results.
3nerds
ASKER
If I follow you correctly, I will unplug the cable from company b (shutting out the 192.168.17.1 gateway) and then manually set 192.168.17.1 IP for the computer connected to the compabyB vlan on the 5505. I see the use, but I'm pretty confident about the results as well. I will not able to ping from 192.168.1.x.. I might be able to test this tomorrow.
I have for testing purposes connected a PC to the cable originating from company b, and then assigned in an ip in the 192.168.17.0/254 range using 192.168.17.1 as gateway. I can then access and ping 192.168.16.2, but the gateway itself at 192.168.17.1 can not respond to a ping. I did this before attempting to set up the 5505.
Note: 192.168.17.1 is a gateway set up at company b. If I use this IP I will not be able to use the same IP as gateway, and that IP is the only way to access the fileserver at 192.168.16.2. The IP for the company b vlan set up at the 5505 is 192.168.17.254.
Logged into the 5505 I can choose the CompanyB vlan and ping 192.168.16.2 and get response as I should.
The 5505 is in touch with company B, and the routing seems to be working, allthough I cannot connect from the inside vlan (192.168.1.0/24). As stated earlier, it still stops as the implicity deny ip any any rule at the company b access list. (entry 1. permit ip any any, entry 2 deny ip any any).
I do not have access to the network at present, only remote access to the 5505.
I have for testing purposes connected a PC to the cable originating from company b, and then assigned in an ip in the 192.168.17.0/254 range using 192.168.17.1 as gateway. I can then access and ping 192.168.16.2, but the gateway itself at 192.168.17.1 can not respond to a ping. I did this before attempting to set up the 5505.
Note: 192.168.17.1 is a gateway set up at company b. If I use this IP I will not be able to use the same IP as gateway, and that IP is the only way to access the fileserver at 192.168.16.2. The IP for the company b vlan set up at the 5505 is 192.168.17.254.
Logged into the 5505 I can choose the CompanyB vlan and ping 192.168.16.2 and get response as I should.
The 5505 is in touch with company B, and the routing seems to be working, allthough I cannot connect from the inside vlan (192.168.1.0/24). As stated earlier, it still stops as the implicity deny ip any any rule at the company b access list. (entry 1. permit ip any any, entry 2 deny ip any any).
I do not have access to the network at present, only remote access to the 5505.
Thanks for the info.
I was just attempting to find out what is and is not communicating and it seems that you have done a good bit of testing yourself what you have done is fine. Just so I am clear.
A pc at 192.168.17.50 is able to ping 192.168.16.2 if it has a DG of 192.168.17.1. Perfect at least your not fighting a battle from 2 ends.
Basically what I wanted to do was give you a way to test from your internal network to the DMZ. I am not worried about company b yet I just want to make sure traffic flows out for you.
You stated that only the 192.168.1.x will initiate connectivity to the 192.168.16.2 address. Not the reverse.
Before you go through all of this please add a static translation for the DMZ as follows:
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
I see this in your config:
access-group L2net_access_in in interface L2net
but I dont see an access list named L2net_access_in did you remove it from your config?
For now doing a:
no access-group L2net_access_in in interface L2net
Would be good for testing.
Test it and let me know.
Regards,
3nerds
I was just attempting to find out what is and is not communicating and it seems that you have done a good bit of testing yourself what you have done is fine. Just so I am clear.
A pc at 192.168.17.50 is able to ping 192.168.16.2 if it has a DG of 192.168.17.1. Perfect at least your not fighting a battle from 2 ends.
Basically what I wanted to do was give you a way to test from your internal network to the DMZ. I am not worried about company b yet I just want to make sure traffic flows out for you.
You stated that only the 192.168.1.x will initiate connectivity to the 192.168.16.2 address. Not the reverse.
Before you go through all of this please add a static translation for the DMZ as follows:
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
I see this in your config:
access-group L2net_access_in in interface L2net
but I dont see an access list named L2net_access_in did you remove it from your config?
For now doing a:
no access-group L2net_access_in in interface L2net
Would be good for testing.
Test it and let me know.
Regards,
3nerds
ASKER
Yes, a computer in the 192.168.17.0 range is able to ping 192.168.16.2.
Well, no, didn't remove "companyB" it from access list.I figured I would rename the names from L2 to CompanyB so it would be easier to understand from my explanation. Obvously I forgot to do that everywhere, so it's just more confusing. The interface name for "company b" is L2net as you can see..
access-list "CompanyB"_in extended permit ip any any <- this is L2net
Even if this is added the packed is dropped by the explicit rule deny ip any any listed below the permit any any. At least this is what the packet trace says. Everything else checks out ok, and it stop on access list entry mentioned..
Done some more testing - with no results.
Using packet tracer I get ok on "flow lookup" and "route lookup", but it fails on "access list" just as before saying "type access-list action drop show rule in access rules table". When I click the "show rule" I shows the explicit deny ip any any on the L2net interface. As you can see there is an allow ip any any added before the deny..
Well, no, didn't remove "companyB" it from access list.I figured I would rename the names from L2 to CompanyB so it would be easier to understand from my explanation. Obvously I forgot to do that everywhere, so it's just more confusing. The interface name for "company b" is L2net as you can see..
access-list "CompanyB"_in extended permit ip any any <- this is L2net
Even if this is added the packed is dropped by the explicit rule deny ip any any listed below the permit any any. At least this is what the packet trace says. Everything else checks out ok, and it stop on access list entry mentioned..
Done some more testing - with no results.
Using packet tracer I get ok on "flow lookup" and "route lookup", but it fails on "access list" just as before saying "type access-list action drop show rule in access rules table". When I click the "show rule" I shows the explicit deny ip any any on the L2net interface. As you can see there is an allow ip any any added before the deny..
I don't think your following me:
You access-group says it is using an ACL called L2net_access_in that ACL no longer exists, so every time you make a change to the ACL called CompanyB_in those changes never get applied to the interface. Now I am going off the config you have above if this changed then you will have to advise me.
access-list CompanyB_in extended permit ip any any --> This is fine
Just do this to apply it:
no access-group L2net_access_in in interface L2net
access-group CompanyB_in in interface L2net
Although if you not allowing anyone from Company B to initiate a connection to your LAN then it is not needed at all.
Also you need to add the NAT I recommended:
static (inside,DMZ) x.x.x.x x.x.x.x netmask 255.255.255.0 --> where x is your inside network.
Your simple problem is that you can't get traffic out of your new vlan. You need all the pieces in place for that to happen. NAT is the big one becuase your going from a lower security level to a higher.
If you would like to take this step by set tomorrow as I am leaving now let me know otherwise good luck in your troubleshooting.
Regards,
3nerds
You access-group says it is using an ACL called L2net_access_in that ACL no longer exists, so every time you make a change to the ACL called CompanyB_in those changes never get applied to the interface. Now I am going off the config you have above if this changed then you will have to advise me.
access-list CompanyB_in extended permit ip any any --> This is fine
Just do this to apply it:
no access-group L2net_access_in in interface L2net
access-group CompanyB_in in interface L2net
Although if you not allowing anyone from Company B to initiate a connection to your LAN then it is not needed at all.
Also you need to add the NAT I recommended:
static (inside,DMZ) x.x.x.x x.x.x.x netmask 255.255.255.0 --> where x is your inside network.
Your simple problem is that you can't get traffic out of your new vlan. You need all the pieces in place for that to happen. NAT is the big one becuase your going from a lower security level to a higher.
If you would like to take this step by set tomorrow as I am leaving now let me know otherwise good luck in your troubleshooting.
Regards,
3nerds
ASKER
Sorry, I'm unclear again. I think you don't follow me this time :-)
There is no interface or anything else named "CompanyB" in the config. I renamed it manually in the output of show config to make it clearer what was what. It just got confusing as I forgot to rename them all though, so L2net and CompanyB were both there.
Everything named "companyb" is in reality L2net in the running config.
I added the NAT yesterday, but it doesn't make any difference.
About security levels; both internal lan and L2net are set to 100.
There is no interface or anything else named "CompanyB" in the config. I renamed it manually in the output of show config to make it clearer what was what. It just got confusing as I forgot to rename them all though, so L2net and CompanyB were both there.
Everything named "companyb" is in reality L2net in the running config.
I added the NAT yesterday, but it doesn't make any difference.
About security levels; both internal lan and L2net are set to 100.
I wish I had an asa 5505 here to test I just am unsure if that limited license is hanging things up.
Would you re post your config as is, just X out the IP's and anything else you don't want shown here.
Regards,
3nerds
Would you re post your config as is, just X out the IP's and anything else you don't want shown here.
Regards,
3nerds
ASKER
hostname ciscoasa
domain-name x.local
enable password x
passwd x
names
name x.165.66 testing
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.152.202 255.255.255.248
!
interface Vlan13
no forward interface Vlan2
nameif L2net
security-level 100
ip address 192.168.17.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 13
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name x.local
same-security-traffic permit inter-interface
object-group network SoftScan
description Spamfilter
network-object host 194.192.15.190
network-object host 213.150.52.217
network-object host testing
network-object host 80.237.207.26
access-list 101 extended permit tcp any host x.152.203 eq https
access-list outside_access_in remark Exchange server
access-list outside_access_in extended permit tcp object-group SoftScan host x.152.203 eq smtp
access-list outside_access_in extended permit tcp any host x.152.203 eq https
access-list OGAVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list OGA_splitTunnelAcl standard permit any
access-list L2net_access_in extended permit ip any any
access-list L2net_access_in_1 extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu L2net 1500
ip local pool BPNpool 192.168.1.100-192.168.1.12
ip local pool Default 192.168.2.100-192.168.2.13
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.152.203 192.168.1.200 netmask 255.255.255.255
static (inside,L2net) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group L2net_access_in_1 in interface L2net
route outside 0.0.0.0 0.0.0.0 x.152.201 1
route L2net 192.168.16.2 255.255.255.255 192.168.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http Saga_telnet_testing 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.1.200 195.159.0.100 interface inside
dhcpd enable inside
!
group-policy Standard internal
group-policy Standard attributes
dns-server value 192.168.1.200
vpn-tunnel-protocol IPSec
default-domain value x.local
group-policy OGA_2 internal
group-policy OGA_2 attributes
dns-server value 192.168.1.200
vpn-tunnel-protocol IPSec
username x x x x x x x x x
vpn-group-policy Standard
tunnel-group OGA type ipsec-ra
tunnel-group OGA general-attributes
address-pool Default
default-group-policy OGA_2
tunnel-group OGA ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
domain-name x.local
enable password x
passwd x
names
name x.165.66 testing
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.152.202 255.255.255.248
!
interface Vlan13
no forward interface Vlan2
nameif L2net
security-level 100
ip address 192.168.17.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 13
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name x.local
same-security-traffic permit inter-interface
object-group network SoftScan
description Spamfilter
network-object host 194.192.15.190
network-object host 213.150.52.217
network-object host testing
network-object host 80.237.207.26
access-list 101 extended permit tcp any host x.152.203 eq https
access-list outside_access_in remark Exchange server
access-list outside_access_in extended permit tcp object-group SoftScan host x.152.203 eq smtp
access-list outside_access_in extended permit tcp any host x.152.203 eq https
access-list OGAVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list OGA_splitTunnelAcl standard permit any
access-list L2net_access_in extended permit ip any any
access-list L2net_access_in_1 extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu L2net 1500
ip local pool BPNpool 192.168.1.100-192.168.1.12
ip local pool Default 192.168.2.100-192.168.2.13
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.152.203 192.168.1.200 netmask 255.255.255.255
static (inside,L2net) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group L2net_access_in_1 in interface L2net
route outside 0.0.0.0 0.0.0.0 x.152.201 1
route L2net 192.168.16.2 255.255.255.255 192.168.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http Saga_telnet_testing 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.1.200 195.159.0.100 interface inside
dhcpd enable inside
!
group-policy Standard internal
group-policy Standard attributes
dns-server value 192.168.1.200
vpn-tunnel-protocol IPSec
default-domain value x.local
group-policy OGA_2 internal
group-policy OGA_2 attributes
dns-server value 192.168.1.200
vpn-tunnel-protocol IPSec
username x x x x x x x x x
vpn-group-policy Standard
tunnel-group OGA type ipsec-ra
tunnel-group OGA general-attributes
address-pool Default
default-group-policy OGA_2
tunnel-group OGA ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
ok so I was curious what might be the problem here so i took a ASA5510 I have here off the shelf and put the following basic config into it.
:
ASA Version 8.0(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 199.0.152.202 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif L2net
security-level 100
ip address 192.168.17.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
pager lines 24
mtu outside 1500
mtu inside 1500
mtu L2net 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.1.200 195.159.0.100 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Most of it is your config with a few pieces missing. With this right here everything works as you need it.
So I added the nat and global lines below into the config and it brakes.
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
So I add the rules to the no nat and wallah it works again:
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.17.0 255.255.255.0
You may get this error "Unable to download NAT policy for ACE" if you do you will have to do this before the new lines will take effect:
no nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
So to clean up your config and test do the following:
no static (inside,L2net) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.17.0 255.255.255.0
If you get the error above do what I laid out.
If it still does not work then it is a limitation with your asa5505 license or a missed route.
Good Luck,
3nerds
:
ASA Version 8.0(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 199.0.152.202 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif L2net
security-level 100
ip address 192.168.17.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
pager lines 24
mtu outside 1500
mtu inside 1500
mtu L2net 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.1.200 195.159.0.100 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Most of it is your config with a few pieces missing. With this right here everything works as you need it.
So I added the nat and global lines below into the config and it brakes.
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
So I add the rules to the no nat and wallah it works again:
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.17.0 255.255.255.0
You may get this error "Unable to download NAT policy for ACE" if you do you will have to do this before the new lines will take effect:
no nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
So to clean up your config and test do the following:
no static (inside,L2net) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.17.0 255.255.255.0
If you get the error above do what I laid out.
If it still does not work then it is a limitation with your asa5505 license or a missed route.
Good Luck,
3nerds
ASKER
Sorry to bug you once again. What license is used in in the 5510?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Back to square one then.
You think it's the license causing the trouble? I tend to agree, but it states that the limitation on the third interface lies in only being able to communicate with on other interface, and that's ok in this setup.
I grant you accepted solution anyways, since u're probably correct about the solution in case it was the correct licence allready installed, and about the fact that another license is likely needed.
You think it's the license causing the trouble? I tend to agree, but it states that the limitation on the third interface lies in only being able to communicate with on other interface, and that's ok in this setup.
I grant you accepted solution anyways, since u're probably correct about the solution in case it was the correct licence allready installed, and about the fact that another license is likely needed.
Hey intrepidity,
Did you try changing the lines I offered?
Do you want to post one last config so I can make sure you changed everything needed?
Regards,
3nerds
Did you try changing the lines I offered?
Do you want to post one last config so I can make sure you changed everything needed?
Regards,
3nerds
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
You are most likely going to want the "Security Plus License"
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
see note 5
5 3 (2 regular zones and 1 restricted zone that can only communicate with 1 other zone)
Regards,
3nerds