Solved

Can't pass traffic between interfaces with same security level on ASA 5510

Posted on 2008-10-21
5
3,407 Views
Last Modified: 2013-11-16
I  have configured ASA 5510 with outside interface and two inside interfaces for two different subnets, i have added the Same-security-traffic permit inter-interface and Same-security-traffic permit intra-interface but traffic doesn't flow between the two inside interfaces that have the same secirty level. I have done much research but can't figure it out. Please help. This is my configuration,
asdm image disk0:/asdm-508.bin
asdm location 192.168.50.48 255.255.255.240 outside
no asdm history enable
: Saved
:
ASA Version 7.0(8) 
!
hostname ciscoasa
domain-name xxxxx.net
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0 
!
interface Ethernet0/2
 nameif DICOM
 security-level 100
 ip address 10.0.5.150 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 0
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.50.48 255.255.255.240 
access-list remoteuser_splitTunnelAcl standard permit any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DICOM 1500
mtu management 1500
ip local pool remoteusers 192.168.50.50-192.168.50.60 mask 255.255.255.0
icmp permit any outside
icmp permit any inside
icmp permit any DICOM
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 20 interface
global (DICOM) 30 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DICOM) 10 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy remoteuser internal
group-policy remoteuser attributes
 dns-server value 24.93.41.127 24.93.41.128
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remoteuser_splitTunnelAcl
 webvpn
username mtech password V6B59GRyHeAuo8yI encrypted privilege 0
username mtech attributes
 vpn-group-policy remoteuser
 webvpn
http server enable
http 192.168.100.0 255.255.255.0 inside
http 10.0.5.0 255.255.255.0 DICOM
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group remoteuser type ipsec-ra
tunnel-group remoteuser general-attributes
 address-pool remoteusers
 default-group-policy remoteuser
tunnel-group remoteuser ipsec-attributes
 pre-shared-key *
telnet 192.168.100.0 255.255.255.0 inside
telnet 10.0.5.0 255.255.255.0 DICOM
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.100.10-192.168.100.20 inside
dhcpd address 10.0.5.50-10.0.5.60 DICOM
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 24.93.41.127 24.93.41.128
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config inside
dhcpd enable inside
dhcpd enable DICOM
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
Cryptochecksum:d3528671fd3962d40e9d657960a3fde8
: end

Open in new window

0
Comment
Question by:hmassertech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:yurisk
ID: 22774606
I dont remember if NAT-control is on or off by default in ASA 7.0, if it is then  NAT enabled but no rules
to translate between the networks and no NAT exemption either
Here, these Global rules wont work as there are no matching nat (intf_name) 20 ....
global (inside) 20 interface
global (DICOM) 30 interface

to have networks translated to the interfaces you could do this
global (inside) 10  interface
global (DICOM) 10  interface


Wht do you get when trying to reach another network and doing  #show xlate  to see NAT translations ?
0
 

Author Comment

by:hmassertech
ID: 22776407
I tried to change the global statements as recommended above but i can't still ping between internal networks, this is what the xlate is showing when i try to ping both ways:

ciscoasa# show xlate
7 in use, 33 most used
PAT Global 192.168.200.106(1064) Local 10.0.5.50(55410)
PAT Global 192.168.200.106(1063) Local 10.0.5.50(62255)
PAT Global 192.168.200.106(1062) Local 10.0.5.50(63064)
PAT Global 192.168.200.106(1061) Local 10.0.5.50(50038)
PAT Global 192.168.200.106(1060) Local 10.0.5.50(61956)
PAT Global 192.168.200.106(1) Local 10.0.5.50 ICMP id 1
PAT Global 10.0.5.150(1) Local 192.168.100.10 ICMP id 768

Any ideas? I am really pressed by time here.. :(
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 22776791


You NAT everything from both inside networks, you need a nonat rule that specifies that traffic from inside to dicom and from dicom to inside does not get NAT'd. Right now for the inside interface you do not nat traffic from the inside to the remote users address pools, thats good;

For inside
access-list inside_nat0_outbound extended permit ip any 192.168.50.48 255.255.255.240
access-list inside_nat0_outbound permit ip 192.168.100.0 255.255.255.0 10.0.5.0 255.255.255.0 (add)

For DICOM
nat (dicom) 0 access-list dicom_nat0_outbound
access-list dicom_nat0_outbound permit ip 10.0.5.0 255.255.255.0 192.168.100.0 255.255.255.0

0
 
LVL 32

Expert Comment

by:harbor235
ID: 22776894


Also, You do nto need both of the following commands;

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

This is all you need
same-security-traffic permit inter-interface

harbor235 ;}
0
 

Author Closing Comment

by:hmassertech
ID: 31508646
Thanks a lot.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question