v0r73x
asked on
Enable Communication between interfaces on Cisco ASA 5510
Ok I have a Cisco ASA 5510 using ASA v8.0(2). I have 3 of the interfaces using internal IP's for different network segments and one interface for the outside WAN. I've been reading the Cisco guides on setting static NAT between the internal interfaces to allow communication although I'm not sure I've understood it correctly so getting a little confused.
I'd like to enable the three internal interfaces to talk to each network, specifically 1 and 2 talking and 1 and 3 talking.
1 - 192.168.50.0/24 network with IP 192.168.50.254
2 - 192.168.40.0/24 network with IP 192.168.40.254
3 - 10.0.0.0/24 network with IP 10.0.0.1
Using the ASDM how am I best to configure this? I can certainly use the CLI although I'm not 100% on the commands so any help appreciated. They have the same security level and the ability to communicate with the same security level is enabled.
I'd like to enable the three internal interfaces to talk to each network, specifically 1 and 2 talking and 1 and 3 talking.
1 - 192.168.50.0/24 network with IP 192.168.50.254
2 - 192.168.40.0/24 network with IP 192.168.40.254
3 - 10.0.0.0/24 network with IP 10.0.0.1
Using the ASDM how am I best to configure this? I can certainly use the CLI although I'm not 100% on the commands so any help appreciated. They have the same security level and the ability to communicate with the same security level is enabled.
ASKER
Unfortunately the interfaces don't seem to be talking to each other (I would imagine due to the differing IP addresses on each segment?). Am I missing something? I believe this is why the Cisco guides opt for Static NAT's but Im at a loss to know exactly what to configure.
Like I said above, if you have different security levels for each interface then depending on the value and direction of the flow you may need ACLs to explictily allow the traffic.
can you post your sanitized config?
harbor235 ;}
ASKER
Will look to change the security levels on the interfaces to test and post config friday - unfortunately a server outage elsewhere has taken up my time. Thanks for the posts so far though!
ASKER
Any comments welcome :)
: Saved
:
ASA Version 8.0(4)
!
hostname 5510
domain-name mydomain.local
enable password $$$$$$$$$ encrypted
passwd $$$$$$$$$ encrypted
names
name 192.168.50.2 BES
name 192.168.50.1 MAIN
name 192.168.50.250 WAP1 description Office WAP
name 192.168.50.251 WAP2 description Comms Room WAP
name 193.109.81.33 Blackberry
name 192.168.60.0 vpn_users
name 192.168.50.254 CiscoASA
name 77.88.99.22 WANIP
name 192.168.50.47 User1
name 192.168.50.48 User2
!
interface Ethernet0/0
nameif outside
security-level 0
ip address WANIP 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address CiscoASA 255.255.255.0
!
interface Ethernet0/2
nameif Investran
security-level 90
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/3
nameif Calyx
security-level 80
ip address 192.168.40.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
banner exec --------------------------------------------------------
banner exec This is an actively monitored system.
banner exec Unauthorized access strictly prohibited.
banner exec Please log off immediately.
banner exec --------------------------------------------------------
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name mydomain.local
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group service BES tcp
port-object eq 3101
object-group network smtp-hosts
network-object host BES
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service ssl_vpn_site tcp-udp
port-object eq 1711
object-group service ssl_vpn_port tcp
port-object eq 8383
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_8
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list outside_access_in extended permit tcp any any eq 3101
access-list Local_LAN_Address standard permit 192.168.50.0 255.255.255.0
access-list mss_allow_list extended permit tcp any any
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_7 192.168.50.0 255.255.255.0
vpn_users 255.255.255.0
access-list Investran_access_in extended permit object-group DM_INLINE_PROTOCOL_4 any any
access-list Calyx_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_6 any any
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0
access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_8 any any
access-list inside_nat0_outbound_1 extended permit ip 192.168.50.0 255.255.255.0 vpn_users 255.255.255.0
!
tcp-map mss-map
!
pager lines 24
logging enable
logging list VPNC level debugging class vpnc
logging asdm notifications
mtu outside 1500
mtu inside 1500
mtu Investran 1500
mtu Calyx 1500
mtu management 1500
ip local pool remote_users 192.168.60.10-192.168.60.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (Investran) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 101 192.168.50.0 255.255.255.0
static (inside,outside) tcp interface smtp MAIN smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 MAIN 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4899 MAIN 4899 netmask 255.255.255.255
static (inside,outside) tcp interface www MAIN www netmask 255.255.255.255
static (inside,outside) tcp interface 3101 BES 3101 netmask 255.255.255.255
static (inside,outside) tcp interface 8181 WAP1 www netmask 255.255.255.255
static (inside,outside) tcp interface 8282 WAP2 www netmask 255.255.255.255
static (inside,outside) tcp interface https MAIN https netmask 255.255.255.255
static (inside,outside) tcp interface 3900 User1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3901 User2 3389 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
access-group inside_access_in_1 in interface inside
access-group Investran_access_in in interface Investran
access-group Calyx_access_in in interface Calyx
route outside 0.0.0.0 0.0.0.0 77.88.99.57 1
route Investran 130.32.136.0 255.255.255.0 10.0.0.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable 1712
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 192.168.50.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA
ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=mail.mydomain.co.uk
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
fqdn vpn.mydomain.co.uk
subject-name CN=vpn.mydomain.co.uk,OU=SSLVPN,O=My Company,C=GB,St=London,L=London
keypair ssl_vpn_key
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASDM_TrustPoint1
certificate 099989
3082034c 308202b5 a0030201 02020309 9989300d 06092a86 4886f70d 01010505
00304e31 0b300906 03550406 13025553 3110300e 06035504 0a130745 71756966
6178312d 302b0603 55040b13 24457175 69666178 20536563 75726520 43657274
69666963 61746520 41757468 6f726974 79301e17 0d303830 38303131 32343334
385a170d 30393038 30323132 34333438 5a3081d6 310b3009 06035504 06130247
42312230 20060355 040a1319 76706e2e 616c6368 656d7970 6172746e 6572732e
636f2e75 6b311330 11060355 040b130a 47543338 37363033 39353131 302f0603
55040b13 28536565 20777777 2e67656f 74727573 742e636f 6d2f7265 736f7572
6365732f 63707320 28632930 38313730 35060355 040b132e 446f6d61 696e2043
6f6e7472 6f6c2056 616c6964 61746564 202d2051 7569636b 53534c20 5072656d
69756d28 52293122 30200603 55040313 1976706e 2e616c63 68656d79 70617274
6e657273 2e636f2e 756b3081 9f300d06 092a8648 86f70d01 01010500 03818d00
30818902 818100ac 43f3d221 6e647037 32f206cd dbd425c8 e6b54bfb 0fda0001
e8d88de5 ae9a3518 45d5dead 91c20968 53943067 370ec7db eca2f2ed d4967c4e
3877e658 80ddbf2a 9c8f721a 77c99696 bc3fdd64 91c5a918 b439dea1 b1c9712d
753cd273 fb947b47 28c4506d d39c177d 0a86a035 00ea9d6e 46ee50e4 0ccc071a
1bd1bc81 e06daf02 03010001 a381ae30 81ab300e 0603551d 0f0101ff 04040302
04f0301d 0603551d 0e041604 147a1511 638e910d 76e815ac 541d46d1 b412ed99
75303a06 03551d1f 04333031 302fa02d a02b8629 68747470 3a2f2f63 726c2e67
656f7472 7573742e 636f6d2f 63726c73 2f736563 75726563 612e6372 6c301f06
03551d23 04183016 801448e6 68f92bd2 b295d747 d8232010 4f339890 9fd4301d
0603551d 25041630 1406082b 06010505 07030106 082b0601 05050703 02300d06
092a8648 86f70d01 01050500 03818100 bbd21ed9 a75db7e9 53d24104 1a58b977
d6a4194c 54ce5e67 08b04e71 10a2df3c cb0e535d b2edd655 9e77c99b 01a6cee3
46a85311 9b6a5faf a5a5d930 37e16679 e1a9726f be8fbc73 e5cda577 ebd42f8f
aec13aeb bb551fe9 c9c9ccc7 86ce521b b5355650 0529d173 3ac16ac5 003c55b9
8ebbc248 a9aa357e f757bffd 4fb6c2da
quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 outside
telnet vpn_users 255.255.255.0 outside
telnet 192.168.50.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.150.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
console timeout 10
management-access management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 outside
webvpn
port 8383
enable outside
dtls port 8383
svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1
svc enable
group-policy SSLGrpPolicy internal
group-policy SSLGrpPolicy attributes
dns-server value 192.168.50.1
vpn-simultaneous-logins 5
vpn-idle-timeout 10
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_LAN_Address
default-domain value mydomain.local
webvpn
svc dpd-interval client 20
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.50.1
vpn-simultaneous-logins 5
vpn-idle-timeout 5
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_LAN_Address
default-domain value mydomain.local
tunnel-group DefaultRAGroup general-attributes
address-pool remote_users
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool remote_users
tunnel-group ssl_vpn_connection type remote-access
tunnel-group ssl_vpn_connection general-attributes
address-pool remote_users
default-group-policy SSLGrpPolicy
!
class-map inspection_default
match default-inspection-traffic
class-map mss-map
match access-list mss_allow_list
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map mss-map
class mss-map
set connection advanced-options mss-map
!
service-policy global_policy global
service-policy mss-map interface outside
prompt hostname context
Cryptochecksum:b550ce892130af68c7020566d4e2b1fa
: end
asdm image disk0:/asdm-613.bin
asdm location vpn_users 255.255.255.0 inside
asdm location CiscoASA 255.255.255.255 inside
asdm location WANIP 255.255.255.255 inside
asdm location WAP1 255.255.255.255 inside
asdm location WAP2 255.255.255.255 inside
asdm location User1 255.255.255.255 inside
asdm location User2 255.255.255.255 inside
no asdm history enable
ASKER
I changed the interface security levels btw, they where all the same and I had allow communication between same security enabled. Still no joy.
try this;
static (inside,Calx) 10.1.2.0 10.1.2.0 255.255.255.0 - change 10.1.2.0 to whatever inside IP range is
This is called the identity translation which does not nat traffic from inside to Calx, this will work if you initiate the traffic from inside not the other way around. If you initate from Calx to inisde then the inside interface will require ACL entries explicity allowing the traffic, which you have.
If you are using ICMP test from inside to Calx then you need;
icmp permit any Calx
You have the following ACL for interface Calx;
access-list Calyx_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any
Object group -
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
Which means you accept everything on all interfaces? Dangerous, looks like you are wide open.
How are you testing this?
harbor235 ;}
harbor235 [}
ASKER
Thanks for the input, I'll try add the following this evening to test. At the moment everything is allowed purely to test as it's all a new setup. Will lock it down once I get my head around it all :)
I'm testing by running ping from a client on the inside network to a client on the calyx network (as well as the calyx interface but no reply back). With little experience on Cisco it hasn't helped!!
Thanks again for the above will hopefully have a result later today.
I'm testing by running ping from a client on the inside network to a client on the calyx network (as well as the calyx interface but no reply back). With little experience on Cisco it hasn't helped!!
Thanks again for the above will hopefully have a result later today.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
http 0 0 inside
Have you tried adding NAT exempt rules between the two networks?
in ASDM go to Configuration > Firewall > NAT Rules.
[Add ] [Add NAT Exempt Rule]
You will need to create one for each interface that originates traffic (this means one for the 'client' interface and one for the 'server' interface).
You will have to fiddle around with the 'inbound' and 'outbound' settings. My lab box has identical rules with inbound and outbound set, and i cant remember which actually made it work for me.
I believe that in the 8.x versions of the ASA you have to have a NAT rule to pass traffic, even if it is a NAT Exempt rule.
in ASDM go to Configuration > Firewall > NAT Rules.
[Add ] [Add NAT Exempt Rule]
You will need to create one for each interface that originates traffic (this means one for the 'client' interface and one for the 'server' interface).
You will have to fiddle around with the 'inbound' and 'outbound' settings. My lab box has identical rules with inbound and outbound set, and i cant remember which actually made it work for me.
I believe that in the 8.x versions of the ASA you have to have a NAT rule to pass traffic, even if it is a NAT Exempt rule.
ASKER
Sorry for the delay in awarding points!!! Ended up out of the country for a different project and it slipped my mind to respond.
There is no need to nat for inside to inside network communication. If you have interfaces of different security levels then know the following;
1) higher security level to lower securit level is allowed by default
2) lower security level to higher is not allowed by defualt
To get traffic to flow from lower to higher security levels you must explicity allow the traffic via ACL
You could also assign interfaces to the same security level by enable same security level
communication which is not allowed by default.
from global config mode use the following command "same-security-traffic permit inter-interface"
You also need to ensure that the traffic from one inside interface to another is not NAT'd. So this via a nonat rule.
harbor235 ;}