Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA 5505 interfaces, routing and licenses

Posted on 2009-06-15
19
Medium Priority
?
436 Views
Last Modified: 2012-05-07
Seems like the 5505 have a basic license.

Company A has a 5505 and is supposed to get access to company B file server behind Company B firewall. Company B has fileserver 192.168.16.2 and has set up a gateway 192.168.17.1 on it's own interface. I have nothing to do with company B or they're setup.

Company A, my responsibility, 5505 setup:
LAN 192.168.1.0/24
WAN static IP

The third interface cannot be fully functional, and the default block to LAN on the DMZ cannot be changed while the interface is there. I deleted the DMZ interface and made a new one with "Block to outside" so that the new interface should be able to communicate with the 5505 LAN.

The company-B-name-interface is setup with permit ip any any for testing purposes.  It should all be open. Routing is set up for 192.168.16.2 to use gateway 192.168.17.1.

I can ping 192.168.16.2 on the company a 5505 picking the company-b interface. If I use packet trace everything comes up ok and is then stopped by the default company-b-interface access control drop any any ip. As the permit ip any any is listed before drop I find this weird.

Is it not possible to permit traffic between the third interface and local network even if removing access to the outside interface?

Do I have to buy another license for the 5505?
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.202 255.255.255.248 
!
interface Vlan13
 no forward interface Vlan2
 nameif CompanyB
 security-level 50
 ip address 192.168.17.254 255.255.255.0 
 
 
access-list CompanyB_access_in extended permit ip any any

Open in new window

0
Comment
Question by:Intrepidity
  • 10
  • 9
19 Comments
 
LVL 13

Expert Comment

by:3nerds
ID: 24628595
I believe your problem lies in that the 3rd vlan is limited to DMZ functionality only.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

You are most likely going to want the "Security Plus License"

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

see note 5

5 3 (2 regular zones and 1 restricted zone that can only communicate with 1 other zone)

Regards,

3nerds
0
 

Author Comment

by:Intrepidity
ID: 24629464
Well, sorry if I am unclear. The vlan set up for connection to company b does only need to communicate with the inside vlan. So, that's one zone communicating with one zone. I can, however, not make this work.

The question is, is this supposed to work, or is it default blocked towards inside vlan and cannot be removed? After deleting the dmz entry and creating a new the company b vlan is now, as stated earlier, blocked to outside. While creating the new interface it's possible to pick either blocking to outside or blocking to inside from the third interface.

This is regarding what you are talking about from my first post:
The third interface cannot be fully functional, and the default block to LAN on the DMZ cannot be changed while the interface is there. I deleted the DMZ interface and made a new one with "Block to outside" so that the new interface should be able to communicate with the 5505 LAN.
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24629525
Makes sence now thank you for clarification.

I assume you are using NAT from communication from inside to outside?

Would you be willing to post the config?

Regards,

3nerds
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 

Author Comment

by:Intrepidity
ID: 24630331
I have to admit that I'm new to Cisco, and the license issue wasn't expected.  As stated earlier, if I check connection from inside vlan to company b vlan using packet trace it's all ok until the last point, access control. It stop on the implicit deny ip any any rule on the companyb interface even though I've added a permit ip any any..

hostname ciscoasa
domain-name x.local
x
x
names
x
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.152.202 255.255.255.248
!
interface Vlan13
 no forward interface Vlan2
 nameif L2net
 security-level 50
 ip address 192.168.17.254 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 13
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name x.local
same-security-traffic permit inter-interface
object-group network SoftScan
 description Spamfilter
 network-object host 194.192.15.190
 network-object host 213.150.52.217
 network-object host 80.237.207.26
access-list 101 extended permit tcp any host x.152.203 eq https
access-list outside_access_in remark Exchange server
access-list outside_access_in extended permit tcp object-group SoftScan host x.152.203 eq smtp
access-list outside_access_in extended permit tcp any host x.152.203 eq https
access-list OGAVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list OGA_splitTunnelAcl standard permit any
access-list CompanyB_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu L2net 1500
ip local pool BPNpool 192.168.1.100-192.168.1.120 mask 255.255.255.0
ip local pool Default 192.168.2.100-192.168.2.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.152.203 192.168.1.200 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group L2net_access_in in interface L2net
route outside 0.0.0.0 0.0.0.0 x.152.201 1
route L2net 192.168.16.2 255.255.255.255 192.168.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http Saga_telnet_testing 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.1.200 195.159.0.100 interface inside
dhcpd enable inside
!

group-policy Standard internal
group-policy Standard attributes
 dns-server value 192.168.1.200 195.159.0.100
 vpn-tunnel-protocol IPSec
 default-domain value x.local
group-policy OGA_2 internal
group-policy OGA_2 attributes
 dns-server value 192.168.1.200
 vpn-tunnel-protocol IPSec

x

 vpn-group-policy Standard
tunnel-group OGA type ipsec-ra
tunnel-group OGA general-attributes
 address-pool Default
 default-group-policy OGA_2
tunnel-group OGA ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24630466
You have no mappings for traffic from dmz to inside.

By default traffic from the inside to the DMZ will flow because the inside has a higher security level then the dmz but for the dmz to access the inside you will have to add static translations to go along with your acl's.

if you don't need the security of a lower security level as you have it now you could up the value to 100 and and let same-security-traffic permit inter-interface take care of passing the traffic.

At this point your solution will depend on what security you need to have in place between you and company b.

Good Luck,

3nerds
0
 

Author Comment

by:Intrepidity
ID: 24630561
Well it was 100, but didn't work out. I changed it back and tried something else. The output from show config there is kind of between setups as I had sort of given up.

Setting 100 and allow traffic between interfaces with the same security level doesn't help. It's still stopped at the same access control entry as before. What else do I need to edit?

Inside vlan will always initiate contact as company b are not supposed to access company a network. The requiered security is set up at company b firewall, so I don't plan to bother much with that. At least make it work first, and then maybe tighten security.
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24630645
For testing you might want to plug a pc into the dmz port and assign it the 192.168.17.1 address, if you can get traffic to it you can get it to the other side.

Then test the following:
Make sure the firewall is off on the PC
1. Ping from the asa dmz interface to the PC at .1
2. Attempt to ping from 192.168.1.x to 17.1

Let me know the results.

3nerds


0
 

Author Comment

by:Intrepidity
ID: 24630810
If I follow you correctly, I will unplug the cable from company b (shutting out the 192.168.17.1 gateway) and then manually set 192.168.17.1 IP for the computer connected to the compabyB vlan on the 5505. I see the use, but I'm pretty confident about the results as well. I will not able to ping from 192.168.1.x.. I might be able to test this tomorrow.

I have for testing purposes connected a PC to the cable originating from company b, and then assigned in an ip in the 192.168.17.0/254 range using 192.168.17.1 as gateway. I can then access and ping 192.168.16.2, but the gateway itself at 192.168.17.1 can not respond to a ping. I did this before attempting to set up the 5505.

Note: 192.168.17.1 is a gateway set up at company b. If I use this IP I will not be able to use the same IP as gateway, and that IP is the only way to access the fileserver at 192.168.16.2. The IP for the company b vlan set up at the 5505 is 192.168.17.254.

Logged into the 5505 I can choose the CompanyB vlan and ping 192.168.16.2 and get response as I should.

The 5505 is in touch with company B, and the routing seems to be working, allthough I cannot connect from the inside vlan (192.168.1.0/24). As stated earlier, it still stops as the implicity deny ip any any rule at the company b access list. (entry 1. permit ip any any, entry 2 deny ip any any).

I do not have access to the network at present, only remote access to the 5505.
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24631307
Thanks for the info.

I was just attempting to find out what is and is not communicating and it seems that you have done a good bit of testing yourself what you have done is fine. Just so I am clear.
A pc at 192.168.17.50 is able to ping 192.168.16.2 if it has a DG of 192.168.17.1. Perfect at least your not fighting a battle from 2 ends.

Basically what I wanted to do was give you a way to test from your internal network to the DMZ. I am not worried about company b yet I just want to make sure traffic flows out for you.

You stated that only the 192.168.1.x will initiate connectivity to the 192.168.16.2 address. Not the reverse.

Before you go through all of this please add a static translation for the DMZ as follows:
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I see this in your config:
access-group L2net_access_in in interface L2net
but I dont see an access list named L2net_access_in did you remove it from your config?

For now doing a:

no access-group L2net_access_in in interface L2net

Would be good for testing.

Test it and let me know.

Regards,

3nerds

0
 

Author Comment

by:Intrepidity
ID: 24632922
Yes, a computer in the 192.168.17.0 range is able to ping 192.168.16.2.

Well, no, didn't remove "companyB"  it from access list.I figured I would rename the names from L2 to CompanyB so it would be easier to understand from my explanation. Obvously I forgot to do that everywhere, so it's just more confusing. The interface name for "company b" is L2net as you can see..

access-list "CompanyB"_in extended permit ip any any <- this is L2net

Even if this is added the packed is dropped by the explicit rule deny ip any any listed below the permit any any. At least this is what the packet trace says. Everything else checks out ok, and it stop on access list entry mentioned..

Done some more testing - with no results.

Using packet tracer I get ok on "flow lookup" and "route lookup", but it fails on "access list" just as before saying "type access-list  action drop   show rule in access rules table". When I click the "show rule" I shows the explicit deny ip any any on the L2net interface. As you can see there is an allow ip any any added before the deny..
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24633299
I don't think your following me:

You access-group says it is using an ACL called L2net_access_in that ACL no longer exists, so every time you make a change to the ACL called CompanyB_in those changes never get applied to the interface. Now I am going off the config you have above if this changed then you will have to advise me.

access-list CompanyB_in extended permit ip any any --> This is fine

Just do this to apply it:
no access-group L2net_access_in in interface L2net
access-group CompanyB_in in interface L2net

Although if you not allowing anyone from Company B to initiate a connection to your LAN then it is not needed at all.

Also you need to add the NAT I recommended:

static (inside,DMZ) x.x.x.x x.x.x.x netmask 255.255.255.0 --> where x is your inside network.

Your simple problem is that you can't get traffic out of your new vlan. You need all the pieces in place for that to happen. NAT is the big one becuase your going from a lower security level to a higher.

If you would like to take this step by set tomorrow as I am leaving now let me know otherwise good luck in your troubleshooting.

Regards,

3nerds
0
 

Author Comment

by:Intrepidity
ID: 24635948
Sorry, I'm unclear again. I think you don't follow me this time :-)

There is no interface or anything else named "CompanyB" in the config. I renamed it manually in the output of show config to make it clearer what was what. It just got confusing as I forgot to rename them all though, so L2net and CompanyB were both there.

Everything named "companyb" is in reality L2net in the running config.

I added the NAT yesterday, but it doesn't make any difference.

About security levels; both internal lan and L2net are set to 100.
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24637374
I wish I had an asa 5505 here to test I just am unsure if that limited license is hanging things up.

Would you re post your config as is, just X out the IP's and anything else you don't want shown here.

Regards,

3nerds
0
 

Author Comment

by:Intrepidity
ID: 24642352
hostname ciscoasa
domain-name x.local
enable password x
passwd x
names
name x.165.66 testing
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.152.202 255.255.255.248
!
interface Vlan13
 no forward interface Vlan2
 nameif L2net
 security-level 100
 ip address 192.168.17.254 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 13
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name x.local
same-security-traffic permit inter-interface
object-group network SoftScan
 description Spamfilter
 network-object host 194.192.15.190
 network-object host 213.150.52.217
 network-object host testing
 network-object host 80.237.207.26
access-list 101 extended permit tcp any host x.152.203 eq https
access-list outside_access_in remark Exchange server
access-list outside_access_in extended permit tcp object-group SoftScan host x.152.203 eq smtp
access-list outside_access_in extended permit tcp any host x.152.203 eq https
access-list OGAVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list OGA_splitTunnelAcl standard permit any
access-list L2net_access_in extended permit ip any any
access-list L2net_access_in_1 extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu L2net 1500
ip local pool BPNpool 192.168.1.100-192.168.1.120 mask 255.255.255.0
ip local pool Default 192.168.2.100-192.168.2.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.152.203 192.168.1.200 netmask 255.255.255.255
static (inside,L2net) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group L2net_access_in_1 in interface L2net
route outside 0.0.0.0 0.0.0.0 x.152.201 1
route L2net 192.168.16.2 255.255.255.255 192.168.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http Saga_telnet_testing 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.1.200 195.159.0.100 interface inside
dhcpd enable inside
!

group-policy Standard internal
group-policy Standard attributes
 dns-server value 192.168.1.200
 vpn-tunnel-protocol IPSec
 default-domain value x.local
group-policy OGA_2 internal
group-policy OGA_2 attributes
 dns-server value 192.168.1.200
 vpn-tunnel-protocol IPSec
username x x x x x x x x x
 vpn-group-policy Standard
tunnel-group OGA type ipsec-ra
tunnel-group OGA general-attributes
 address-pool Default
 default-group-policy OGA_2
tunnel-group OGA ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24642753
ok so I was curious what might be the problem here so i took a ASA5510 I have here off the shelf and put the following basic config into it.

:
ASA Version 8.0(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 199.0.152.202 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 nameif L2net
 security-level 100
 ip address 192.168.17.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif    
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
pager lines 24
mtu outside 1500
mtu inside 1500
mtu L2net 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.1.200 195.159.0.100 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context


Most of it is your config with a few pieces missing. With this right here everything works as you need it.

So I added the nat and global lines below into the config and it brakes.
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

So I add the rules to the no nat and wallah it works again:
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.17.0 255.255.255.0

You may get this error "Unable to download NAT policy for ACE" if you do you will have to do this before the new lines will take effect:
no nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound

So to clean up your config and test do the following:
no static (inside,L2net) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.17.0 255.255.255.0

If you get the error above do what I laid out.

If it still does not work then it is a limitation with your asa5505 license or a missed route.

Good Luck,

3nerds


0
 

Author Comment

by:Intrepidity
ID: 24652173
Sorry to bug you once again. What license is used in in the 5510?
0
 
LVL 13

Accepted Solution

by:
3nerds earned 1000 total points
ID: 24652509
In my 5510 I did this test with it has the security plus license but if you mean what license is needed on your asa5505 you need the security plus license as well.

The part number for your asa is ASA5505-SEC-PL=

Regards,

3nerds
0
 

Author Closing Comment

by:Intrepidity
ID: 31592415
Back to square one then.

You think it's the license causing the trouble? I tend to agree, but it states that the limitation on the third interface lies in only being able to communicate with on other interface, and that's ok in this setup.

I grant you accepted solution anyways, since u're probably correct about the solution in case it was the correct licence allready installed, and about the fact that another license is likely needed.
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24652661
Hey intrepidity,

Did you try changing the lines I offered?

Do you want to post one last config so I can make sure you changed everything needed?

Regards,

3nerds
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question