Link to home
Create AccountLog in
Avatar of v0r73x
v0r73xFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Enable Communication between interfaces on Cisco ASA 5510

Ok I have a Cisco ASA 5510 using ASA v8.0(2). I have 3 of the interfaces using internal IP's for different network segments and one interface for the outside WAN. I've been reading the Cisco guides on setting static NAT between the internal interfaces to allow communication although I'm not sure I've understood it correctly so getting a little confused.

I'd like to enable the three internal interfaces to talk to each network, specifically 1 and 2 talking and 1 and 3 talking.

1 - 192.168.50.0/24 network with IP 192.168.50.254
2 - 192.168.40.0/24 network with IP 192.168.40.254
3 - 10.0.0.0/24 network with IP 10.0.0.1

Using the ASDM how am I best to configure this? I can certainly use the CLI although I'm not 100% on the commands so any help appreciated. They have the same security level and the ability to communicate with the same security level is enabled.
Avatar of harbor235
harbor235
Flag of United States of America image



There is no need to nat for inside to inside network communication. If you have interfaces of different security levels then know the following;

1) higher security level to lower securit level is allowed by default
2) lower security level to higher is not allowed by defualt

To get traffic to flow from lower to higher security levels you must explicity allow the traffic via ACL

You could also assign interfaces to the same security level by enable same security level
communication which is not allowed by default.

from global config mode use the following command "same-security-traffic permit inter-interface"

You also need to ensure that the traffic from one inside interface to another is not NAT'd. So this via a nonat rule.

harbor235 ;}
Avatar of v0r73x

ASKER

Unfortunately the interfaces don't seem to be talking to each other (I would imagine due to the differing IP addresses on each segment?). Am I missing something? I believe this is why the Cisco guides opt for Static NAT's but Im at a loss to know exactly what to configure.

Like I said above, if you have different security levels for each interface then depending on the value and direction of the flow you may need ACLs to explictily allow the traffic.

can you post your sanitized config?

harbor235 ;}
Avatar of v0r73x

ASKER

Will look to change the security levels on the interfaces to test and post config friday - unfortunately a server outage elsewhere has taken up my time. Thanks for the posts so far though!
Avatar of v0r73x

ASKER

Any comments welcome :)
: Saved
:
ASA Version 8.0(4) 
!
hostname 5510
domain-name mydomain.local
enable password $$$$$$$$$ encrypted
passwd $$$$$$$$$ encrypted
names
name 192.168.50.2 BES
name 192.168.50.1 MAIN
name 192.168.50.250 WAP1 description Office WAP
name 192.168.50.251 WAP2 description Comms Room WAP
name 193.109.81.33 Blackberry
name 192.168.60.0 vpn_users
name 192.168.50.254 CiscoASA
name 77.88.99.22 WANIP
name 192.168.50.47 User1
name 192.168.50.48 User2
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address WANIP 255.255.255.224 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address CiscoASA 255.255.255.0 
!
interface Ethernet0/2
 nameif Investran
 security-level 90
 ip address 10.0.0.1 255.255.255.0 
!
interface Ethernet0/3
 nameif Calyx
 security-level 80
 ip address 192.168.40.254 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.100.1 255.255.255.0 
 management-only
!
banner exec --------------------------------------------------------
banner exec       This is an actively monitored system.
banner exec     Unauthorized access strictly prohibited.
banner exec              Please log off immediately.
banner exec --------------------------------------------------------
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name mydomain.local
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group service BES tcp
 port-object eq 3101
object-group network smtp-hosts
 network-object host BES
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service ssl_vpn_site tcp-udp
 port-object eq 1711
object-group service ssl_vpn_port tcp
 port-object eq 8383
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_6
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_7
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_8
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any 
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any 
access-list outside_access_in extended permit tcp any any eq 3101 
access-list Local_LAN_Address standard permit 192.168.50.0 255.255.255.0 
access-list mss_allow_list extended permit tcp any any 
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_7 192.168.50.0 255.255.255.0 
 
vpn_users 255.255.255.0 
access-list Investran_access_in extended permit object-group DM_INLINE_PROTOCOL_4 any any 
access-list Calyx_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any 
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_6 any any 
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0 
access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_8 any any 
access-list inside_nat0_outbound_1 extended permit ip 192.168.50.0 255.255.255.0 vpn_users 255.255.255.0 
!
tcp-map mss-map
!
pager lines 24
logging enable
logging list VPNC level debugging class vpnc
logging asdm notifications
mtu outside 1500
mtu inside 1500
mtu Investran 1500
mtu Calyx 1500
mtu management 1500
ip local pool remote_users 192.168.60.10-192.168.60.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (Investran) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 101 192.168.50.0 255.255.255.0
static (inside,outside) tcp interface smtp MAIN smtp netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 MAIN 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 4899 MAIN 4899 netmask 255.255.255.255 
static (inside,outside) tcp interface www MAIN www netmask 255.255.255.255 
static (inside,outside) tcp interface 3101 BES 3101 netmask 255.255.255.255 
static (inside,outside) tcp interface 8181 WAP1 www netmask 255.255.255.255 
static (inside,outside) tcp interface 8282 WAP2 www netmask 255.255.255.255 
static (inside,outside) tcp interface https MAIN https netmask 255.255.255.255 
static (inside,outside) tcp interface 3900 User1 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 3901 User2 3389 netmask 255.255.255.255 
access-group outside_access_in_1 in interface outside
access-group inside_access_in_1 in interface inside
access-group Investran_access_in in interface Investran
access-group Calyx_access_in in interface Calyx
route outside 0.0.0.0 0.0.0.0 77.88.99.57 1
route Investran 130.32.136.0 255.255.255.0 10.0.0.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable 1712
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 192.168.50.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA 
 
ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=mail.mydomain.co.uk
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 fqdn vpn.mydomain.co.uk
 subject-name CN=vpn.mydomain.co.uk,OU=SSLVPN,O=My Company,C=GB,St=London,L=London
 keypair ssl_vpn_key
 crl configure
crypto ca server 
 shutdown
crypto ca certificate chain ASDM_TrustPoint1
 certificate 099989
    3082034c 308202b5 a0030201 02020309 9989300d 06092a86 4886f70d 01010505 
    00304e31 0b300906 03550406 13025553 3110300e 06035504 0a130745 71756966 
    6178312d 302b0603 55040b13 24457175 69666178 20536563 75726520 43657274 
    69666963 61746520 41757468 6f726974 79301e17 0d303830 38303131 32343334 
    385a170d 30393038 30323132 34333438 5a3081d6 310b3009 06035504 06130247 
    42312230 20060355 040a1319 76706e2e 616c6368 656d7970 6172746e 6572732e 
    636f2e75 6b311330 11060355 040b130a 47543338 37363033 39353131 302f0603 
    55040b13 28536565 20777777 2e67656f 74727573 742e636f 6d2f7265 736f7572 
    6365732f 63707320 28632930 38313730 35060355 040b132e 446f6d61 696e2043 
    6f6e7472 6f6c2056 616c6964 61746564 202d2051 7569636b 53534c20 5072656d 
    69756d28 52293122 30200603 55040313 1976706e 2e616c63 68656d79 70617274 
    6e657273 2e636f2e 756b3081 9f300d06 092a8648 86f70d01 01010500 03818d00 
    30818902 818100ac 43f3d221 6e647037 32f206cd dbd425c8 e6b54bfb 0fda0001 
    e8d88de5 ae9a3518 45d5dead 91c20968 53943067 370ec7db eca2f2ed d4967c4e 
    3877e658 80ddbf2a 9c8f721a 77c99696 bc3fdd64 91c5a918 b439dea1 b1c9712d 
    753cd273 fb947b47 28c4506d d39c177d 0a86a035 00ea9d6e 46ee50e4 0ccc071a 
    1bd1bc81 e06daf02 03010001 a381ae30 81ab300e 0603551d 0f0101ff 04040302 
    04f0301d 0603551d 0e041604 147a1511 638e910d 76e815ac 541d46d1 b412ed99 
    75303a06 03551d1f 04333031 302fa02d a02b8629 68747470 3a2f2f63 726c2e67 
    656f7472 7573742e 636f6d2f 63726c73 2f736563 75726563 612e6372 6c301f06 
    03551d23 04183016 801448e6 68f92bd2 b295d747 d8232010 4f339890 9fd4301d 
    0603551d 25041630 1406082b 06010505 07030106 082b0601 05050703 02300d06 
    092a8648 86f70d01 01050500 03818100 bbd21ed9 a75db7e9 53d24104 1a58b977 
    d6a4194c 54ce5e67 08b04e71 10a2df3c cb0e535d b2edd655 9e77c99b 01a6cee3 
    46a85311 9b6a5faf a5a5d930 37e16679 e1a9726f be8fbc73 e5cda577 ebd42f8f 
    aec13aeb bb551fe9 c9c9ccc7 86ce521b b5355650 0529d173 3ac16ac5 003c55b9 
    8ebbc248 a9aa357e f757bffd 4fb6c2da
  quit
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 outside
telnet vpn_users 255.255.255.0 outside
telnet 192.168.50.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.150.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
console timeout 10
management-access management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 outside
webvpn
 port 8383
 enable outside
 dtls port 8383
 svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1
 svc enable
group-policy SSLGrpPolicy internal
group-policy SSLGrpPolicy attributes
 dns-server value 192.168.50.1
 vpn-simultaneous-logins 5
 vpn-idle-timeout 10
 vpn-tunnel-protocol svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Local_LAN_Address
 default-domain value mydomain.local
 webvpn
  svc dpd-interval client 20
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.50.1
 vpn-simultaneous-logins 5
 vpn-idle-timeout 5
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Local_LAN_Address
 default-domain value mydomain.local
tunnel-group DefaultRAGroup general-attributes
 address-pool remote_users
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool remote_users
tunnel-group ssl_vpn_connection type remote-access
tunnel-group ssl_vpn_connection general-attributes
 address-pool remote_users
 default-group-policy SSLGrpPolicy
!
class-map inspection_default
 match default-inspection-traffic
class-map mss-map
 match access-list mss_allow_list
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
policy-map mss-map
 class mss-map
  set connection advanced-options mss-map
!
service-policy global_policy global
service-policy mss-map interface outside
prompt hostname context 
Cryptochecksum:b550ce892130af68c7020566d4e2b1fa
: end
asdm image disk0:/asdm-613.bin
asdm location vpn_users 255.255.255.0 inside
asdm location CiscoASA 255.255.255.255 inside
asdm location WANIP 255.255.255.255 inside
asdm location WAP1 255.255.255.255 inside
asdm location WAP2 255.255.255.255 inside
asdm location User1 255.255.255.255 inside
asdm location User2 255.255.255.255 inside
no asdm history enable

Open in new window

Avatar of v0r73x

ASKER

I changed the interface security levels btw, they where all the same and I had allow communication between same security enabled. Still no joy.


try this;

static (inside,Calx) 10.1.2.0 10.1.2.0 255.255.255.0  - change 10.1.2.0 to whatever inside IP range is


This is called the  identity translation which does not nat traffic from inside to Calx, this will work if you initiate the traffic from inside not the other way around. If you initate from Calx to inisde then the inside interface will require ACL entries explicity allowing the traffic, which you have.

If you are using ICMP test from inside to Calx then you need;

icmp permit any Calx

You have the following ACL for interface Calx;

access-list Calyx_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any

Object group -

object-group protocol DM_INLINE_PROTOCOL_5
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp

Which means you accept everything on all interfaces?  Dangerous, looks like you are wide open.

How are you testing this?


harbor235 ;}

harbor235 [}
Avatar of v0r73x

ASKER

Thanks for the input, I'll try add the following this evening to test. At the moment everything is allowed purely to test as it's all a new setup. Will lock it down once I get my head around it all :)

I'm testing by running ping from a client on the inside network to a client on the calyx network (as well as the calyx interface but no reply back). With little experience on Cisco it hasn't helped!!

Thanks again for the above will hopefully have a result later today.
ASKER CERTIFIED SOLUTION
Avatar of harbor235
harbor235
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
http 0 0 inside
Have you tried adding NAT exempt rules between the two networks?
in ASDM go to Configuration > Firewall > NAT Rules.
[Add ] [Add NAT Exempt Rule]

You will need to create one for each interface that originates traffic (this means one for the 'client' interface and one for the 'server' interface).
You will have to fiddle around with the 'inbound' and 'outbound' settings.  My lab box has identical rules with inbound and outbound set, and i cant remember which actually made it work for me.

I believe that in the 8.x versions of the ASA you have to have a NAT rule to pass traffic, even if it is a NAT Exempt rule.
Avatar of v0r73x

ASKER

Sorry for the delay in awarding points!!! Ended up out of the country for a different project and it slipped my mind to respond.