Solved

Need fluid traffic between two same security level interfaces

Posted on 2014-01-09
8
724 Views
Last Modified: 2014-04-30
Dear Sirs I am configuring an ASA5510 before implementing it on my network. I have 1 ISP for internet connected to Outside Interface, a DMZ Interfaces and 2 inside interfaces. One of these inside interfaces is Outside1 will be connected to a router that will have Fiber and Antenas for communicating with our small offices. I need fluid traffic between Inside an Outside1. I tried using some advices but still not working. Here's my configuration. Can you help me?
 
: Saved
:
ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name farmaciachavez.com.bo
enable password 6Jfo5anznhoG00fM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address X.X.X.X y.y.y.y
!
interface Ethernet0/1
nameif Outside1
security-level 100
ip address 192.168.2.2 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
nameif Inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name farmaciachavez.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list dmz_in extended permit ip any any
access-list dmz_in extended permit icmp any any
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list 100 extended permit tcp any host x.x.x..163 eq smtp
access-list 100 extended permit udp any host x.x.x.163 eq domain
access-list 100 extended permit tcp any host x.x.x.163 eq https
access-list 100 extended permit tcp any host x.x.x.163 eq www
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Outside1 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.100.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 Inside
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,DMZ) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (DMZ,Outside) x.x.x.163 172.16.31.0 netmask 255.255.255.255
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
access-group 100 in interface Outside
access-group dmz_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 x.x.x.161 1
route Outside1 172.1.1.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.100.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b5e4725e47eea02221510b282e9e5843
: end
 
Thanks in advanced
 
Eduardo Guerra
0
Comment
Question by:edumatico
  • 4
  • 4
8 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39771352
Hmm, you should be fine because of:

same-security-traffic permit inter-interface

and not having ACLs applied to Outside1 or Inside.  You say you need "fluid traffic".  What does that mean?  Is the traffic being denied?

the only thing that semi-sticks out at me is that nat'ing may be off.  that can be confirmed by doing a packet trace on the ASA.  basically just create an ACL that will match for traffic from Outside1 side to Inside, then apply that to nat 0 for Outside1 interface and then another ACL for the reverse applied to the Inside interface.  This will ensure no packets get dropped due to nat'ing configuration and that the packets won't try to translate an address
0
 

Author Comment

by:edumatico
ID: 39771927
Yes, traffic is dropped. Your idea is i should do the following:

1. Create an ACL from outside1 to inside
2. Create an ACL from inside to outside1
3. nat (Outside1) 101 0.0.0.0 0.0.0.0

right?

EG
0
 

Author Comment

by:edumatico
ID: 39772007
This is the packet tracer result (I placed the last 2 phases because first phases result is allow):

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,DMZ) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  match ip Inside 192.168.100.0 255.255.255.0 DMZ any
    static translation to 192.168.100.0
    translate_hits = 0, untranslate_hits = 471
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab9355d0, priority=5, domain=host, deny=false
        hits=1611, user_data=0xab934f90, cs_id=0x0, reverse, flags=0x0, protocol
=0
        src ip=192.168.100.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (Inside) 101 0.0.0.0 0.0.0.0
  match ip Inside any Outside1 any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 94, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab9309e8, priority=1, domain=nat, deny=false
        hits=93, user_data=0xabeffa80, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

EG
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39772252
close,  you want to do nat exemption so it'd be like the following

access-list no-nat-outside1 ip permit 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list no-nat-inside ip permit 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (Outside1) 0 access-list no-nat-outside1
nat (Inside) 0 access-list no-nat-inside

you can get rid of the one you put in there.

you can see in the packet trace it dropped on a NAT processing step (why it says acl-drop, well its technically a default ACL that drops it but yes its confusing)
*dynamic translation to pool 101 (No matching global)

So at least with that rule in there it messes up at NAT.  get rid of the 101 nat rule and put in my nat 0's.  Then run packet trace again and paste the output to that if it continues to fail.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 

Author Comment

by:edumatico
ID: 39797431
Ok, buddies, I have communication between interfaces but have another issue with routing. I want to do the following:

Reach to network 172.1.x.0 from network 192.168.0.0 without nat
Reach to network 192.168.0.0 from network 172.1.x.0 without nat
I cannot reach each of them. Network 172 1.x.0 is connected to a router that is connected to interface Outside1. I inserted a static route:

route Inside 172.1.1.0 255.255.255.0 192.168.2.2 1

At this point this is the configuration:

: Saved
:
ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name farmaciachavez.com.bo
enable password 6Jfo5anznhoG00fM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.x.x.162 255.255.255.248
!
interface Ethernet0/1
 nameif Outside1
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 10
 ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name farmaciachavez.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list dmz_in extended permit ip any any
access-list dmz_in extended permit icmp any any
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list 100 extended permit tcp any host x.x.x.163 eq smtp
access-list 100 extended permit udp any host x.x.x.163 eq domain
access-list 100 extended permit tcp any host x.x.x.163 eq https
access-list 100 extended permit tcp any host x.x.x.163 eq www
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Outside1 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.0.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 Inside
icmp permit 192.168.0.0 255.255.255.0 Inside
icmp permit 172.16.32.0 255.255.255.0 Inside
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Outside1) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ,Outside) x.x.x.163 172.16.31.0 netmask 255.255.255.255
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group 100 in interface Outside
access-group dmz_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 200.87.200.161 20
route Inside 172.1.1.0 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:90b06cf1ece65226aa1a2ec1821bec24
: end
ASAFCHFW#


Please need suggestions
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39797447
what you want is no nat or nat 0.  just create an ACL matching the traffic you want without nat, then do

nat (interface_name) 0 access-list ACL_NAME

create the ACL from the perspective of the clients off that interface.  Make sure to do it from both sides of the ASA otherwise one direction will go without nat and the other with nat.
0
 

Author Comment

by:edumatico
ID: 39797927
Could you help me building ACL. I tried doing an ACL but was wrong
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39797957
172.1.x.0 is out which interface?  the outside?

If that is the case for the requirement
Reach to network 172.1.x.0 from network 192.168.0.0 without nat
Reach to network 192.168.0.0 from network 172.1.x.0 without nat

you do

access-list outside-no-nat permit 172.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list otuside1-no-nat permit 192.168.1.0 255.255.255.0 172.1.0.0 255.255.0.0
nat (Outside) 0 access-list outside-no-nat
nat (Outside1) 0 access-list outside1-no-nat

that would exempt natting for traffic between those two subnets.  just adjust those ACLs or add entries if necessary.  NAT exemption is done when the packet is entering an interface.  just remember that and build the ACL to match the specific traffic that you don't want to have NAT done
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now