Solved

Need fluid traffic between two same security level interfaces

Posted on 2014-01-09
8
739 Views
Last Modified: 2014-04-30
Dear Sirs I am configuring an ASA5510 before implementing it on my network. I have 1 ISP for internet connected to Outside Interface, a DMZ Interfaces and 2 inside interfaces. One of these inside interfaces is Outside1 will be connected to a router that will have Fiber and Antenas for communicating with our small offices. I need fluid traffic between Inside an Outside1. I tried using some advices but still not working. Here's my configuration. Can you help me?
 
: Saved
:
ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name farmaciachavez.com.bo
enable password 6Jfo5anznhoG00fM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address X.X.X.X y.y.y.y
!
interface Ethernet0/1
nameif Outside1
security-level 100
ip address 192.168.2.2 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
nameif Inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name farmaciachavez.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list dmz_in extended permit ip any any
access-list dmz_in extended permit icmp any any
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list 100 extended permit tcp any host x.x.x..163 eq smtp
access-list 100 extended permit udp any host x.x.x.163 eq domain
access-list 100 extended permit tcp any host x.x.x.163 eq https
access-list 100 extended permit tcp any host x.x.x.163 eq www
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Outside1 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.100.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 Inside
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,DMZ) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (DMZ,Outside) x.x.x.163 172.16.31.0 netmask 255.255.255.255
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
access-group 100 in interface Outside
access-group dmz_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 x.x.x.161 1
route Outside1 172.1.1.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.100.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b5e4725e47eea02221510b282e9e5843
: end
 
Thanks in advanced
 
Eduardo Guerra
0
Comment
Question by:edumatico
  • 4
  • 4
8 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39771352
Hmm, you should be fine because of:

same-security-traffic permit inter-interface

and not having ACLs applied to Outside1 or Inside.  You say you need "fluid traffic".  What does that mean?  Is the traffic being denied?

the only thing that semi-sticks out at me is that nat'ing may be off.  that can be confirmed by doing a packet trace on the ASA.  basically just create an ACL that will match for traffic from Outside1 side to Inside, then apply that to nat 0 for Outside1 interface and then another ACL for the reverse applied to the Inside interface.  This will ensure no packets get dropped due to nat'ing configuration and that the packets won't try to translate an address
0
 

Author Comment

by:edumatico
ID: 39771927
Yes, traffic is dropped. Your idea is i should do the following:

1. Create an ACL from outside1 to inside
2. Create an ACL from inside to outside1
3. nat (Outside1) 101 0.0.0.0 0.0.0.0

right?

EG
0
 

Author Comment

by:edumatico
ID: 39772007
This is the packet tracer result (I placed the last 2 phases because first phases result is allow):

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,DMZ) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  match ip Inside 192.168.100.0 255.255.255.0 DMZ any
    static translation to 192.168.100.0
    translate_hits = 0, untranslate_hits = 471
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab9355d0, priority=5, domain=host, deny=false
        hits=1611, user_data=0xab934f90, cs_id=0x0, reverse, flags=0x0, protocol
=0
        src ip=192.168.100.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (Inside) 101 0.0.0.0 0.0.0.0
  match ip Inside any Outside1 any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 94, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab9309e8, priority=1, domain=nat, deny=false
        hits=93, user_data=0xabeffa80, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

EG
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39772252
close,  you want to do nat exemption so it'd be like the following

access-list no-nat-outside1 ip permit 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list no-nat-inside ip permit 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (Outside1) 0 access-list no-nat-outside1
nat (Inside) 0 access-list no-nat-inside

you can get rid of the one you put in there.

you can see in the packet trace it dropped on a NAT processing step (why it says acl-drop, well its technically a default ACL that drops it but yes its confusing)
*dynamic translation to pool 101 (No matching global)

So at least with that rule in there it messes up at NAT.  get rid of the 101 nat rule and put in my nat 0's.  Then run packet trace again and paste the output to that if it continues to fail.
0
 

Author Comment

by:edumatico
ID: 39797431
Ok, buddies, I have communication between interfaces but have another issue with routing. I want to do the following:

Reach to network 172.1.x.0 from network 192.168.0.0 without nat
Reach to network 192.168.0.0 from network 172.1.x.0 without nat
I cannot reach each of them. Network 172 1.x.0 is connected to a router that is connected to interface Outside1. I inserted a static route:

route Inside 172.1.1.0 255.255.255.0 192.168.2.2 1

At this point this is the configuration:

: Saved
:
ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name farmaciachavez.com.bo
enable password 6Jfo5anznhoG00fM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.x.x.162 255.255.255.248
!
interface Ethernet0/1
 nameif Outside1
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 10
 ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name farmaciachavez.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list dmz_in extended permit ip any any
access-list dmz_in extended permit icmp any any
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list 100 extended permit tcp any host x.x.x.163 eq smtp
access-list 100 extended permit udp any host x.x.x.163 eq domain
access-list 100 extended permit tcp any host x.x.x.163 eq https
access-list 100 extended permit tcp any host x.x.x.163 eq www
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Outside1 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.0.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 Inside
icmp permit 192.168.0.0 255.255.255.0 Inside
icmp permit 172.16.32.0 255.255.255.0 Inside
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Outside1) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ,Outside) x.x.x.163 172.16.31.0 netmask 255.255.255.255
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group 100 in interface Outside
access-group dmz_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 200.87.200.161 20
route Inside 172.1.1.0 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:90b06cf1ece65226aa1a2ec1821bec24
: end
ASAFCHFW#


Please need suggestions
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39797447
what you want is no nat or nat 0.  just create an ACL matching the traffic you want without nat, then do

nat (interface_name) 0 access-list ACL_NAME

create the ACL from the perspective of the clients off that interface.  Make sure to do it from both sides of the ASA otherwise one direction will go without nat and the other with nat.
0
 

Author Comment

by:edumatico
ID: 39797927
Could you help me building ACL. I tried doing an ACL but was wrong
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39797957
172.1.x.0 is out which interface?  the outside?

If that is the case for the requirement
Reach to network 172.1.x.0 from network 192.168.0.0 without nat
Reach to network 192.168.0.0 from network 172.1.x.0 without nat

you do

access-list outside-no-nat permit 172.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list otuside1-no-nat permit 192.168.1.0 255.255.255.0 172.1.0.0 255.255.0.0
nat (Outside) 0 access-list outside-no-nat
nat (Outside1) 0 access-list outside1-no-nat

that would exempt natting for traffic between those two subnets.  just adjust those ACLs or add entries if necessary.  NAT exemption is done when the packet is entering an interface.  just remember that and build the ACL to match the specific traffic that you don't want to have NAT done
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Office 365 Login Audit Report 1 45
Local User Account Group Policy 8 51
Need a "SonicWall" Replacement 12 37
Which Hash Algorithm (SHA) to use for Certs + NPS + AD? 2 36
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question