mattpenland
asked on
Cisco ASA three inside networks on three different interfaces to access
I have three interfaces on this new ASA 5020. I set all three interfaces to the same security level. I then allow any any ip. I still can not get the device to let the traffi c through.
access-list ITGROUP_access_in extended permit ip any any
access-list BlueRidge_access_in extended permit ip any any
access-list ETCTV3_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Server-VLAN 1500
mtu ETCTV3 1500
mtu SANS-LAN 1500
mtu Headend 1500
mtu BlueRidge 1500
mtu ITGROUP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
access-group ETCTV3_access_in in interface ETCTV3
access-group BlueRidge_access_in in interface BlueRidge
access-group ITGROUP_access_in in interface ITGROUP
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.175.0 255.255.255.0 ITGROUP
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.175.2-192.168.175. 20 ITGROUP
dhcpd enable ITGROUP
!
username etcit password encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
C
access-list ITGROUP_access_in extended permit ip any any
access-list BlueRidge_access_in extended permit ip any any
access-list ETCTV3_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Server-VLAN 1500
mtu ETCTV3 1500
mtu SANS-LAN 1500
mtu Headend 1500
mtu BlueRidge 1500
mtu ITGROUP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
access-group ETCTV3_access_in in interface ETCTV3
access-group BlueRidge_access_in in interface BlueRidge
access-group ITGROUP_access_in in interface ITGROUP
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.175.0 255.255.255.0 ITGROUP
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.175.2-192.168.175.
dhcpd enable ITGROUP
!
username etcit password encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
C
ASKER
This is an internal firewall. Right now I am not worried about allowing traffic in from the outside world. I am wanting to allow traffic between my internal interfaces. I know you can use the {same-security-traffic permit inter-interface} command, However I only want some of the internal interfaces to have complete access to the other internal interfaces and soem just to have port 80 -- 3389 --- telnet.
ASKER
I wanted to add that I currently have a firewall in place. I am trying to setup my new ASA to test before putting it in place. My first step in setting it up is to get the internal networks to talk on the port that I want. I will then do my access rules for the outside interface
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Normally, the outside (internet-facing interface is set to security level 0
the inside (most secure) normally set to 100
and a dmz usually set to 50
commands are:
interface Ethernet0/0
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXXX subnet mask
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/1
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
This is not good also:
access-list ITGROUP_access_in extended permit ip any any
access-list BlueRidge_access_in extended permit ip any any
access-list ETCTV3_access_in extended permit ip any any
the above allows all traffic in, with no restrictions
you want to use static nat and allow inbound access to only certain ports and services i.e mail, ftp
static (inside,outside 111.111.111.111 192.168.1.1 netmask 255.255.255.255 0 0
access-list acl_in extended permit tcp any host 111.111.111.111 eq smtp
!
The above example statically maps a server with the public address 111.111.111.111 to an inside address of 192.168.1.1 and the acess-list allows only inbound traffic on port 25 this is an example for a mail server
then bind the access-group to the outside interface:
access-group acl_in in interface outside
I am assuming these are your >outside to inside access rules
If not, then get rid of these (if they are inside to outside rules, they will often prevent traffic from inside flowing to outside)
by default, the asa allows all traffic from inside to outside unless you configure restrictions via access lists
Remove these below:
access-list ITGROUP_access_in extended permit ip any any
access-list BlueRidge_access_in extended permit ip any any
access-list ETCTV3_access_in extended permit ip any any
access-group ETCTV3_access_in in interface ETCTV3
access-group BlueRidge_access_in in interface BlueRidge
access-group ITGROUP_access_in in interface ITGROUP
!