[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA  three inside networks on three different interfaces to access

Posted on 2009-02-12
4
Medium Priority
?
612 Views
Last Modified: 2013-11-16
I have three interfaces on this new ASA 5020. I set all three interfaces to the same security level. I then allow any any ip. I still can not get the device to let the traffi c through.


access-list ITGROUP_access_in extended permit ip any any
access-list BlueRidge_access_in extended permit ip any any
access-list ETCTV3_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Server-VLAN 1500
mtu ETCTV3 1500
mtu SANS-LAN 1500
mtu Headend 1500
mtu BlueRidge 1500
mtu ITGROUP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
access-group ETCTV3_access_in in interface ETCTV3
access-group BlueRidge_access_in in interface BlueRidge
access-group ITGROUP_access_in in interface ITGROUP
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.175.0 255.255.255.0 ITGROUP
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.175.2-192.168.175.20 ITGROUP
dhcpd enable ITGROUP
!
username etcit password encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters  
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
C
0
Comment
Question by:mattpenland
  • 3
4 Comments
 
LVL 15

Expert Comment

by:bignewf
ID: 23629430
what is the reason for setting all the security interfaces at the same level?

Normally, the outside (internet-facing interface is set to security level 0
the inside (most secure) normally set to 100

and a dmz usually set to 50

commands are:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.XXXX subnet mask
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

interface Ethernet0/1
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0

This is not good also:

access-list ITGROUP_access_in extended permit ip any any
access-list BlueRidge_access_in extended permit ip any any
access-list ETCTV3_access_in extended permit ip any any

the above allows all traffic in, with no restrictions

you want to use static nat and allow inbound access to only certain ports and services  i.e mail, ftp
static (inside,outside 111.111.111.111  192.168.1.1 netmask 255.255.255.255 0 0


access-list acl_in extended permit tcp any host 111.111.111.111 eq smtp
!
The above example statically maps a server with the public address 111.111.111.111  to an inside address of 192.168.1.1  and the acess-list allows only inbound traffic on port 25   this is an example for a mail server


then bind the access-group to the outside interface:

access-group acl_in in interface outside


I am assuming these are your >outside to inside access rules

If not, then get rid of these (if they are inside to outside rules, they will often prevent traffic from inside flowing to outside)

by default, the asa allows all traffic from inside to outside unless you configure restrictions via access lists

Remove these below:

access-list ITGROUP_access_in extended permit ip any any
access-list BlueRidge_access_in extended permit ip any any
access-list ETCTV3_access_in extended permit ip any any
access-group ETCTV3_access_in in interface ETCTV3
access-group BlueRidge_access_in in interface BlueRidge
access-group ITGROUP_access_in in interface ITGROUP


!
0
 

Author Comment

by:mattpenland
ID: 23632433
This is an internal firewall. Right now I am not worried about allowing traffic in from the outside world. I am wanting to allow traffic between my internal interfaces. I know you can use the {same-security-traffic permit inter-interface} command, However I only want some of the internal interfaces to have complete access to the other internal interfaces and soem just to have port 80 -- 3389 --- telnet.
0
 

Author Comment

by:mattpenland
ID: 23632465
I wanted to add that I currently have a firewall in place. I am trying to setup my new ASA to test before putting it in place. My first step in setting it up is to get the internal networks to talk on the port that I want. I will then do my access rules for the outside interface

0
 

Accepted Solution

by:
mattpenland earned 0 total points
ID: 23798565
I added the following that allow all three interface to talk internally
same-security-traffic permit inter-interface
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month19 days, 3 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question