Solved

Can't pass traffic between interfaces with same security level on ASA 5510

Posted on 2008-10-21
5
3,343 Views
Last Modified: 2013-11-16
I  have configured ASA 5510 with outside interface and two inside interfaces for two different subnets, i have added the Same-security-traffic permit inter-interface and Same-security-traffic permit intra-interface but traffic doesn't flow between the two inside interfaces that have the same secirty level. I have done much research but can't figure it out. Please help. This is my configuration,
asdm image disk0:/asdm-508.bin

asdm location 192.168.50.48 255.255.255.240 outside

no asdm history enable

: Saved

:

ASA Version 7.0(8) 

!

hostname ciscoasa

domain-name xxxxx.net

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address dhcp 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.100.1 255.255.255.0 

!

interface Ethernet0/2

 nameif DICOM

 security-level 100

 ip address 10.0.5.150 255.255.255.0 

!

interface Management0/0

 nameif management

 security-level 0

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 192.168.50.48 255.255.255.240 

access-list remoteuser_splitTunnelAcl standard permit any 

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DICOM 1500

mtu management 1500

ip local pool remoteusers 192.168.50.50-192.168.50.60 mask 255.255.255.0

icmp permit any outside

icmp permit any inside

icmp permit any DICOM

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

global (inside) 20 interface

global (DICOM) 30 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

nat (DICOM) 10 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.200.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy remoteuser internal

group-policy remoteuser attributes

 dns-server value 24.93.41.127 24.93.41.128

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value remoteuser_splitTunnelAcl

 webvpn

username mtech password V6B59GRyHeAuo8yI encrypted privilege 0

username mtech attributes

 vpn-group-policy remoteuser

 webvpn

http server enable

http 192.168.100.0 255.255.255.0 inside

http 10.0.5.0 255.255.255.0 DICOM

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group remoteuser type ipsec-ra

tunnel-group remoteuser general-attributes

 address-pool remoteusers

 default-group-policy remoteuser

tunnel-group remoteuser ipsec-attributes

 pre-shared-key *

telnet 192.168.100.0 255.255.255.0 inside

telnet 10.0.5.0 255.255.255.0 DICOM

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.100.10-192.168.100.20 inside

dhcpd address 10.0.5.50-10.0.5.60 DICOM

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd dns 24.93.41.127 24.93.41.128

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd auto_config inside

dhcpd enable inside

dhcpd enable DICOM

dhcpd enable management

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

Cryptochecksum:d3528671fd3962d40e9d657960a3fde8

: end

Open in new window

0
Comment
Question by:hmassertech
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:yurisk
ID: 22774606
I dont remember if NAT-control is on or off by default in ASA 7.0, if it is then  NAT enabled but no rules
to translate between the networks and no NAT exemption either
Here, these Global rules wont work as there are no matching nat (intf_name) 20 ....
global (inside) 20 interface
global (DICOM) 30 interface

to have networks translated to the interfaces you could do this
global (inside) 10  interface
global (DICOM) 10  interface


Wht do you get when trying to reach another network and doing  #show xlate  to see NAT translations ?
0
 

Author Comment

by:hmassertech
ID: 22776407
I tried to change the global statements as recommended above but i can't still ping between internal networks, this is what the xlate is showing when i try to ping both ways:

ciscoasa# show xlate
7 in use, 33 most used
PAT Global 192.168.200.106(1064) Local 10.0.5.50(55410)
PAT Global 192.168.200.106(1063) Local 10.0.5.50(62255)
PAT Global 192.168.200.106(1062) Local 10.0.5.50(63064)
PAT Global 192.168.200.106(1061) Local 10.0.5.50(50038)
PAT Global 192.168.200.106(1060) Local 10.0.5.50(61956)
PAT Global 192.168.200.106(1) Local 10.0.5.50 ICMP id 1
PAT Global 10.0.5.150(1) Local 192.168.100.10 ICMP id 768

Any ideas? I am really pressed by time here.. :(
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 22776791


You NAT everything from both inside networks, you need a nonat rule that specifies that traffic from inside to dicom and from dicom to inside does not get NAT'd. Right now for the inside interface you do not nat traffic from the inside to the remote users address pools, thats good;

For inside
access-list inside_nat0_outbound extended permit ip any 192.168.50.48 255.255.255.240
access-list inside_nat0_outbound permit ip 192.168.100.0 255.255.255.0 10.0.5.0 255.255.255.0 (add)

For DICOM
nat (dicom) 0 access-list dicom_nat0_outbound
access-list dicom_nat0_outbound permit ip 10.0.5.0 255.255.255.0 192.168.100.0 255.255.255.0

0
 
LVL 32

Expert Comment

by:harbor235
ID: 22776894


Also, You do nto need both of the following commands;

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

This is all you need
same-security-traffic permit inter-interface

harbor235 ;}
0
 

Author Closing Comment

by:hmassertech
ID: 31508646
Thanks a lot.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now