We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Cisco ASA  three inside networks on three different interfaces to access

mattpenland
mattpenland asked
on
Medium Priority
659 Views
Last Modified: 2013-11-16
I have three interfaces on this new ASA 5020. I set all three interfaces to the same security level. I then allow any any ip. I still can not get the device to let the traffi c through.


access-list ITGROUP_access_in extended permit ip any any
access-list BlueRidge_access_in extended permit ip any any
access-list ETCTV3_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Server-VLAN 1500
mtu ETCTV3 1500
mtu SANS-LAN 1500
mtu Headend 1500
mtu BlueRidge 1500
mtu ITGROUP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
access-group ETCTV3_access_in in interface ETCTV3
access-group BlueRidge_access_in in interface BlueRidge
access-group ITGROUP_access_in in interface ITGROUP
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.175.0 255.255.255.0 ITGROUP
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.175.2-192.168.175.20 ITGROUP
dhcpd enable ITGROUP
!
username etcit password encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters  
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
C
Comment
Watch Question

Commented:
what is the reason for setting all the security interfaces at the same level?

Normally, the outside (internet-facing interface is set to security level 0
the inside (most secure) normally set to 100

and a dmz usually set to 50

commands are:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.XXXX subnet mask
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

interface Ethernet0/1
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0

This is not good also:

access-list ITGROUP_access_in extended permit ip any any
access-list BlueRidge_access_in extended permit ip any any
access-list ETCTV3_access_in extended permit ip any any

the above allows all traffic in, with no restrictions

you want to use static nat and allow inbound access to only certain ports and services  i.e mail, ftp
static (inside,outside 111.111.111.111  192.168.1.1 netmask 255.255.255.255 0 0


access-list acl_in extended permit tcp any host 111.111.111.111 eq smtp
!
The above example statically maps a server with the public address 111.111.111.111  to an inside address of 192.168.1.1  and the acess-list allows only inbound traffic on port 25   this is an example for a mail server


then bind the access-group to the outside interface:

access-group acl_in in interface outside


I am assuming these are your >outside to inside access rules

If not, then get rid of these (if they are inside to outside rules, they will often prevent traffic from inside flowing to outside)

by default, the asa allows all traffic from inside to outside unless you configure restrictions via access lists

Remove these below:

access-list ITGROUP_access_in extended permit ip any any
access-list BlueRidge_access_in extended permit ip any any
access-list ETCTV3_access_in extended permit ip any any
access-group ETCTV3_access_in in interface ETCTV3
access-group BlueRidge_access_in in interface BlueRidge
access-group ITGROUP_access_in in interface ITGROUP


!

Author

Commented:
This is an internal firewall. Right now I am not worried about allowing traffic in from the outside world. I am wanting to allow traffic between my internal interfaces. I know you can use the {same-security-traffic permit inter-interface} command, However I only want some of the internal interfaces to have complete access to the other internal interfaces and soem just to have port 80 -- 3389 --- telnet.

Author

Commented:
I wanted to add that I currently have a firewall in place. I am trying to setup my new ASA to test before putting it in place. My first step in setting it up is to get the internal networks to talk on the port that I want. I will then do my access rules for the outside interface

I added the following that allow all three interface to talk internally
same-security-traffic permit inter-interface

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.