lconnell
asked on
ASA 5510 Trunking
Hi all. I am banging my head here. I have an ASA 5510 with Security Plus and trying to configure a trunk port. I can't tell if the Dell PowerConnect 5424 is the issue or my ASA config. Here is the ASA config below. Is this the correct configuration? I have a PC connected to an access port 22 which I tested and works with another access port 22 PC. When I ping from the PC to the 10.95.22.1 it does not go through. I have added icmp permit storage as well. My PowerConnect is set for trunk mode and tagged with vlan 22. I also added vlan 22 to the database. I can get a trunk between two PowerConnects fine. Do I need a xover cable?
interface Ethernet0/1
description 802.1q Trunk
nameif trunk-test
security-level 100
no ip address
!
interface Ethernet0/1.22
description Storage
vlan 22
nameif storage
security-level 100
ip address 10.95.22.1 255.255.255.0
interface Ethernet0/1
description 802.1q Trunk
nameif trunk-test
security-level 100
no ip address
!
interface Ethernet0/1.22
description Storage
vlan 22
nameif storage
security-level 100
ip address 10.95.22.1 255.255.255.0
ASKER
Ok I will try a packet trace. There are no ACL's for that interface. Doesn't security-level 100 allow it through?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I got rid of the security level and nameif on e0/1. No ACL's are in place. I can ping vlan 22 ip from within the asa. I have the switch port trunked. I'm still having issues. The switch is a powerconnect from dell, so possibly that is problem. I do have the trunk working between two dell switches though.
have you done the packet trace yet? if so, please post the complete result of that test. If that doesn't give any clues, the next step is to upload the ASA config (sanitized of course to remove passwords and the first 2 octets of any public IPs as well as any other names that might identify which organization this is for) as well as the config for the Dell switches. I haven't worked with them before so if there isn't any text config, please upload the switch port configs via screen shots.
packet-tracer input inside tcp <source ip> 4444 <destination ip> 4444 detailed
Definitely some sort of ACL or Route issue. No ACL in place is similar (literarily) to a deny statement.
You need to create one and permit interesting traffic and assign the ACL to desired interface
Same level security traffic command is tied to a default (built-in ACL)
See if that is on
Show run same-security-traffic
If off, turn them on
hostname(config)# same-security-traffic permit inter-interface
hostname(config)# same-security-traffic permit intra-interface
Other possibilities
Check the firewall settings on the PC 10.95.22.1
- Firewal.cpl
- Allow a program or feature through Windows Firewall
- File and Printer sharing.
This setting, if unchecked for the network type, will not allow pings through
If that's out of the way
Definitely some sort of ACL or Route issue. No ACL in place is similar (literarily) to a deny statement.
You need to create one and permit interesting traffic and assign the ACL to desired interface
Same level security traffic command is tied to a default (built-in ACL)
See if that is on
Show run same-security-traffic
If off, turn them on
hostname(config)# same-security-traffic permit inter-interface
hostname(config)# same-security-traffic permit intra-interface
Other possibilities
Check the firewall settings on the PC 10.95.22.1
- Firewal.cpl
- Allow a program or feature through Windows Firewall
- File and Printer sharing.
This setting, if unchecked for the network type, will not allow pings through
If that's out of the way
ASKER
Thanks for responses. same-security was turned on, both of them.
It's not a PC issue.
If I have to implicitly set an ACL to allow traffic that's on the same subnet/vlan then that would be the issue. I didn't think I had to since it's the same subnet/vlan....? Below is a trimmed down config. I plug the trunked port allowing vlan 22 of the PowerConnect into e0/1. I have a PC on an access port of 22 on the PowerConnect. I can ping other access ports on vlan 22. I can plug another PowerConnect into this PowerConnect on a trunk port and ping a PC across the trunk on the same vlan. I dont have access to the FW right now so I can't do a packet trace.
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.89.101.1 255.255.255.0
interface Ethernet0/1
no nameif
no ip address
interface Ethernet0/1.22
vlan 22
nameif Storage
security-level 100
ip address 10.95.22.1 255.255.255.0
access-list inside_access_in extended permit ip any any
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.89.101.0
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
It's not a PC issue.
If I have to implicitly set an ACL to allow traffic that's on the same subnet/vlan then that would be the issue. I didn't think I had to since it's the same subnet/vlan....? Below is a trimmed down config. I plug the trunked port allowing vlan 22 of the PowerConnect into e0/1. I have a PC on an access port of 22 on the PowerConnect. I can ping other access ports on vlan 22. I can plug another PowerConnect into this PowerConnect on a trunk port and ping a PC across the trunk on the same vlan. I dont have access to the FW right now so I can't do a packet trace.
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.89.101.1 255.255.255.0
interface Ethernet0/1
no nameif
no ip address
interface Ethernet0/1.22
vlan 22
nameif Storage
security-level 100
ip address 10.95.22.1 255.255.255.0
access-list inside_access_in extended permit ip any any
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.89.101.0
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
I would bet money this is not an ACL issue. if no ACL is applied, then the security level is used to determine access control. (unless a global ACL is applied). A security level of 100 can only be denied if you are trying to go between two interfaces with a level 100 set and you haven't configured same security level inter interface. Regardless, interface ACLs do NOT apply to traffic destined for the ASA itself; only to traffic going THRU it. so when no ACL is applied, default behavior is determined by security levels, but only for traffic thru the firewall.
allowing icmp traffic to the ASA is done via "permit icmp" which supposedly has already been done. my guess is there is a trunking issue.
however without a complete config to know what is going on within the ASA or the dell switch its hard to know for sure.
it's stated " can ping vlan 22 ip from within the asa"
what does that mean? so from the asa you pinged the switch IP? or a pc on vlan 22? just curious because if yes, then trunking and switches are configured fine and need to double check icmp is being permitted.
Without knowing how everything is configured its very difficult to know where the issue might be. it could be the asa, but from you're saying about its configuration i would highly doubt it. this is why i'm leaning toward the switches not configured right and why I would like to see the configuration there. also, the entire asa config (sanitized of course) would be nice just so Akinsd and I can verify there isn't something else that might be affecting your ability to ping the asa's interface.
allowing icmp traffic to the ASA is done via "permit icmp" which supposedly has already been done. my guess is there is a trunking issue.
however without a complete config to know what is going on within the ASA or the dell switch its hard to know for sure.
it's stated " can ping vlan 22 ip from within the asa"
what does that mean? so from the asa you pinged the switch IP? or a pc on vlan 22? just curious because if yes, then trunking and switches are configured fine and need to double check icmp is being permitted.
Without knowing how everything is configured its very difficult to know where the issue might be. it could be the asa, but from you're saying about its configuration i would highly doubt it. this is why i'm leaning toward the switches not configured right and why I would like to see the configuration there. also, the entire asa config (sanitized of course) would be nice just so Akinsd and I can verify there isn't something else that might be affecting your ability to ping the asa's interface.
ASKER
Cyclops, I meant I could ping vlan 22 interface on the ASA from within the ASA. I took out all the crypto map stuff, see below.
names
name 10.81.14.10 clearchannel1
name 10.81.14.17 clearchannel2
name 10.81.14.16 clearchannel3
name 10.81.15.0 clearchannelnet2
name 10.81.14.0 clearchannelnet1
name 10.89.103.224 vpn-phones
name x.x.72.78 outside-nat-x.x.72.78
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.89.101.2 255.255.255.0
!
interface Ethernet0/0.16
vlan 16
nameif voice
security-level 100
ip address 10.89.103.2 255.255.255.0
!
interface Ethernet0/1
no nameif
no ip address
!
interface Ethernet0/1.22
vlan 22
nameif Storage
ip address 10.95.22.1 255.255.255.0
!
interface Ethernet0/2
nameif wireless
security-level 10
ip address 10.89.102.2 255.255.255.0
!
interface Ethernet0/3
nameif outside
security-level 0
ip address x.x.72.77 255.255.255.240
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup voice
dns domain-lookup wireless
dns domain-lookup outside
dns domain-lookup management
access-list outside_cryptomap_1 extended permit ip interface outside object-group E-network
access-list inside_nat0_outbound extended permit ip 10.89.101.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip 10.89.101.0 255.255.255.0 object K-network
access-list inside_nat0_outbound extended permit ip 10.89.101.0 255.255.255.0 object-group clearchannel
access-list inside_nat0_outbound extended permit ip 10.89.101.0 255.255.255.0 object ofs-vpn-gateway
access-list sslvpn_client_unrestricted
access-list outside_nat_outbound extended permit ip object sslvpn-client-network object-group MS-remote-networks
access-list sslvpn_tunnelednetworks remark Internal network
access-list sslvpn_tunnelednetworks standard permit 10.89.101.0 255.255.255.0
access-list sslvpn_tunnelednetworks remark D server network
access-list sslvpn_tunnelednetworks standard permit 172.23.35.0 255.255.255.0
access-list sslvpn_tunnelednetworks remark B office network
access-list sslvpn_tunnelednetworks standard permit 192.168.0.0 255.255.255.0
access-list sslvpn_tunnelednetworks remark E
access-list sslvpn_tunnelednetworks standard permit 192.168.89.0 255.255.255.0
access-list sslvpn_tunnelednetworks remark E
access-list sslvpn_tunnelednetworks standard permit 192.168.250.0 255.255.254.0
access-list sslvpn_client_F extended permit ip object sslvpn-client-network object-group F
access-list sslvpn_client_F extended permit object-group TCPUDP object sslvpn-client-network object-group sslvpn-dns-servers eq domain
access-list sslvpn_client_F remark Test-TEST
access-list sslvpn_client_F extended permit object-group TCPUDP object sslvpn-client-network object D-server-network
access-list outside_cryptomap extended permit ip 10.89.101.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_nat_outbound_1 extended permit ip object sslvpn-client-network 10.89.101.0 255.255.255.0
access-list outside_nat_outbound_1 extended permit ip object sslvpn-client-network object-group MS-remote-networks
access-list inside_nat_static extended permit tcp object files.MS.net-internal eq https any
access-list sslvpn_R_only extended permit ip object sslvpn-client-network 10.89.101.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.89.101.0 255.255.255.0 object K-network
access-list sslvpn_tunneled_Ronly remark Internal network
access-list sslvpn_tunneled_Ronly standard permit 10.89.101.0 255.255.255.0
access-list sslvpn_tunneled_Ronly remark D Network
access-list sslvpn_tunneled_Ronly standard permit 172.23.35.0 255.255.255.0
access-list sslvpn_tunneled_Ronly remark VPN Network
access-list sslvpn_tunneled_Ronly standard permit 172.23.36.0 255.255.255.0
access-list dmz_access_in extended permit ip object skles03 object D-skles-cnx
access-list inside_nat_static_1 extended permit tcp object w2k3iis-01.internal eq 81 object web-services-client
access-list inside_nat_outbound extended permit ip 10.89.101.0 255.255.255.0 172.23.33.0 255.255.255.0
access-list inside_nat_outbound extended permit ip object-group MS-remote-networks object sslvpn-client-network
access-list VPN-D extended permit object-group DM_INLINE_SERVICE_5 host 172.23.35.0 host 172.23.35.0
access-list vpnphone_tunneled standard permit any
access-list vpnphone extended permit ip object vpn-phones object-group clearchannel
access-list vpnphone extended permit ip object vpn-phones 10.89.103.0 255.255.255.0
access-list vpnphone extended permit ip object vpn-phones object B-voice-network
access-list voice_nat0_outbound extended permit ip object-group clearchannel object vpn-phones
access-list voice_nat0_outbound extended permit ip 10.89.103.0 255.255.255.0 object vpn-phones
access-list voice_access_in extended deny ip 10.89.103.0 255.255.255.0 object-group MS-all-networks
access-list voice_access_in extended permit ip 10.89.103.0 255.255.255.0 any
access-list voice_access_in extended permit ip object B-voice-network object vpn-phones
access-list voice_access_in extended permit ip object-group clearchannel object vpn-phones
access-list voice_access_in extended permit ip object-group clearchannel object TASKGSRV
access-list outside_nat0_outbound_1 extended permit ip object vpn-phones object-group clearchannel
access-list outside_nat0_outbound_1 extended permit ip object vpn-phones 10.89.103.0 255.255.255.0
access-list sslvpn_client_callcopy extended permit ip object sslvpn-client-network object-group CALLCOPY
access-list sslvpn_client_callcopy extended permit object-group TCPUDP object sslvpn-client-network object-group sslvpn-dns-servers eq domain
access-list sslvpn_E extended permit ip object sslvpn-client-network object-group E-network
access-list outside_cryptomap_5 extended permit ip object skles03 object D-skles-cnx
access-list outside_cryptomap_5 extended permit ip object sslvpn-client-network object D-server-network
access-list inside_nat_static_3 extended permit tcp object demo.MS.net-internal eq 3389 any
access-list inside_nat_static_4 extended permit udp object demo.MS.net-internal eq 3389 any
access-list outside_access_in extended permit ip object sslvpn-client-network object-group MS-all-networks
access-list outside_access_in extended permit ip object-group MS-remote-networks 10.89.101.0 255.255.255.0
access-list outside_access_in extended permit ip object D-skles-cnx object skles03
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object sslvpn-client-network object-group MS-all-networks
access-list outside_access_in extended permit ip object sslvpn-client-network object-group E-network
access-list outside_access_in extended permit tcp any object files.MS.net-internal eq https
access-list outside_access_in remark Migration, ACE (line 6) expanded: permit object-group TCPUDP any host outside-nat-107.1.72.78 eq
access-list outside_access_in extended permit udp any object demo.MS.net-internal eq 3389
access-list outside_access_in extended permit tcp any object demo.MS.net-internal eq 3389
access-list outside_access_in remark Migration: End of expansion
access-list outside_access_in extended permit tcp object web-services-client object w2k3iis-01.internal eq 81
access-list outside_access_in extended permit tcp any object project.MS.net-internal object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit object MSSQL-DB any object obj-10.89.101.214
access-list outside_access_in extended permit udp object-group site-to-site-vpn-tunnel-pe
access-list outside_access_in extended permit object ipsec-nat-t object-group site-to-site-vpn-tunnel-pe
access-list outside_access_in extended permit ah object-group site-to-site-vpn-tunnel-pe
access-list outside_access_in extended permit esp object-group site-to-site-vpn-tunnel-pe
access-list outside_access_in extended permit ip object-group OFS 10.89.101.0 255.255.255.0 inactive
access-list outside_access_in extended permit object-group TCPUDP object-group OFS object-group sslvpn-dns-servers eq domain inactive
access-list outside_access_in extended permit tcp object-group OFS object ki-nas object-group windows-file-sharing inactive
access-list outside_access_in extended permit ip object vpn-phones object-group clearchannel
access-list outside_access_in extended permit ip object vpn-phones 10.89.103.0 255.255.255.0
access-list outside_access_in extended permit ip object vpn-phones object B-voice-network
access-list outside_access_in extended permit tcp object ofs-vpn-gateway 10.89.101.0 255.255.255.0 object-group DM_INLINE_TCP_1 inactive
access-list outside_access_in extended permit icmp object ofs-vpn-gateway 10.89.101.0 255.255.255.0 echo inactive
access-list outside_access_in remark Migration: End of expansion
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list outside_cryptomap_6 extended permit ip 10.89.101.0 255.255.255.0 object B-internal-network
access-list outside_mpc extended permit tcp any object obj-x.x.72.76 eq 1433
access-list sslvpn_unrestricted remark D Network
access-list sslvpn_unrestricted standard permit 172.23.35.0 255.255.255.0
access-list sslvpn_unrestricted remark VPN
access-list sslvpn_unrestricted standard permit 192.168.0.0 255.255.255.0
access-list sslvpn_unrestricted remark Internal Network
access-list sslvpn_unrestricted standard permit 10.89.101.0 255.255.255.0
access-list sslvpn_split_MS standard permit 10.89.101.0 255.255.255.0
access-list sslvpn_split_MS standard permit 172.23.35.0 255.255.255.0
access-list sslvpn_split_MS standard permit 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 any 10.89.102.0 255.255.255.0 inactive
access-list ssltsi_remoterestriction remark Deny
access-list ssltsi_remoterestriction standard deny 10.89.101.0 255.255.255.0
access-list ssltsi_remoterestriction remark Remote Host
access-list ssltsi_remoterestriction standard permit host 10.89.101.217
pager lines 24
logging enable
logging buffer-size 1000000
logging buffered debugging
logging trap warnings
logging asdm informational
logging host inside 10.89.101.217 format emblem
mtu inside 1500
mtu voice 1500
mtu dmz 1500
mtu wireless 1500
mtu outside 1500
mtu management 1500
ip local pool sslvpn_ip_pool 172.23.36.1-172.23.36.100 mask 255.255.255.0
ip local pool vpnphone 10.89.103.193-10.89.103.25
ip verify reverse-path interface inside
ip verify reverse-path interface voice
ip verify reverse-path interface wireless
ip verify reverse-path interface outside
ip verify reverse-path interface management
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-10.89.101.0 obj-10.89.101.0 destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 route-lookup
nat (inside,outside) source static obj-10.89.101.0 obj-10.89.101.0 destination static sslvpn-client-network sslvpn-client-network route-lookup
nat (inside,any) source static obj-10.89.101.0 obj-10.89.101.0 destination static obj-10.89.102.0 obj-10.89.102.0 no-proxy-arp
nat (inside,voice) source static obj-10.89.101.0 obj-10.89.101.0 destination static obj-10.89.103.0 obj-10.89.103.0 no-proxy-arp
nat (inside,any) source static obj-10.89.101.0 obj-10.89.101.0 destination static K-network K-network no-proxy-arp
nat (inside,any) source static obj-10.89.101.0 obj-10.89.101.0 destination static clearchannel clearchannel no-proxy-arp
nat (inside,any) source static obj-10.89.101.0 obj-10.89.101.0 destination static OFS OFS no-proxy-arp inactive
nat (inside,outside) source static files.MS.net-internal outside-nat-107.1.72.78 service obj-tcp-source-eq-443 obj-tcp-source-eq-443
nat (inside,outside) source static w2k3iis-01.internal outside-nat-107.1.72.78 destination static web-services-client web-services-client service obj-tcp-source-eq-81 obj-tcp-source-eq-80
nat (inside,outside) source static demo.MS.net-internal outside-nat-107.1.72.78 service obj-tcp-source-eq-3389 obj-tcp-source-eq-3389
nat (inside,outside) source static demo.MS.net-internal outside-nat-107.1.72.78 service obj-udp-source-eq-3389 obj-udp-source-eq-3389
nat (inside,outside) source static project.MS.net-internal project.MS.net-external service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (inside,outside) source static project.MS.net-internal project.MS.net-external service obj-tcp-source-eq-443 obj-tcp-source-eq-443
nat (inside,outside) source static obj-10.89.101.214 obj-10.89.101.214 service MSSQL-DB MSSQL-DB
nat (inside,dmz) source dynamic obj-10.89.101.0 interface destination static obj-172.23.33.0 obj-172.23.33.0
nat (voice,inside) source static clearchannel clearchannel destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,inside) source static obj-10.89.103.0 obj-10.89.103.0 destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,voice) source static clearchannel clearchannel destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,voice) source static obj-10.89.103.0 obj-10.89.103.0 destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,outside) source static clearchannel clearchannel destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,outside) source static obj-10.89.103.0 obj-10.89.103.0 destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,outside) source static B-voice-network B-voice-network destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (outside,inside) source static vpn-phones vpn-phones destination static clearchannel clearchannel no-proxy-arp route-lookup
nat (outside,inside) source static vpn-phones vpn-phones destination static obj-10.89.103.0 obj-10.89.103.0 no-proxy-arp route-lookup
nat (outside,voice) source static vpn-phones vpn-phones destination static clearchannel clearchannel no-proxy-arp route-lookup
nat (outside,voice) source static vpn-phones vpn-phones destination static obj-10.89.103.0 obj-10.89.103.0 no-proxy-arp route-lookup
nat (outside,outside) source static vpn-phones vpn-phones destination static clearchannel clearchannel no-proxy-arp route-lookup
nat (outside,outside) source static vpn-phones vpn-phones destination static obj-10.89.103.0 obj-10.89.103.0 no-proxy-arp route-lookup
nat (outside,voice) source static vpn-phones vpn-phones destination static B-voice-network B-voice-network no-proxy-arp route-lookup
nat (outside,inside) source dynamic sslvpn-client-network interface destination static obj-10.89.101.0 obj-10.89.101.0
nat (outside,inside) source static project.MS.net-external obj-107.1.72.76 destination static obj-10.89.101.214 obj-10.89.101.214 service MSSQL-DB MSSQL-DB
nat (outside,outside) source static any any destination static sslvpn-client-network sslvpn-client-network route-lookup
nat (inside,outside) source static any any destination static sslvpn-client-network sslvpn-client-network no-proxy-arp route-lookup
nat (outside,outside) source static sslvpn-client-network sslvpn-client-network destination static D-server-network D-server-network no-proxy-arp route-lookup
!
object network obj-10.89.101.0
nat (inside,outside) dynamic interface
object network sslvpn-client-network
nat (outside,inside) dynamic interface
object network obj-10.89.103.0
nat (voice,outside) dynamic interface
object network obj-10.89.102.0
nat (wireless,outside) dynamic interface
object network obj-x.x.72.76
nat (outside,inside) static obj-10.89.101.214 service tcp 1433 1433
access-group inside_access_in in interface inside
access-group voice_access_in in interface voice
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.72.65 1
route voice clearchannelnet1 255.255.255.0 10.89.103.1 1
route voice clearchannel1 255.255.255.255 10.89.103.1 1
route voice clearchannel2 255.255.255.255 10.89.103.1 1
route voice clearchannelnet2 255.255.255.0 10.89.103.1 1
route voice 10.89.100.0 255.255.255.0 10.89.103.1 1
route outside x.x.72.76 255.255.255.255 x.x.72.65 1
user-identity default-domain LOCAL
no user-identity inactive-user-timer
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp dmz
sysopt noproxyarp wireless
sysopt noproxyarp management
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 60
ssh version 2
console timeout 5
management-access inside
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-
dhcpd address 10.89.103.11-10.89.103.100
dhcpd dns x.x.73.246 x.x.71.230 interface voice
dhcpd option 3 ip 10.89.103.1 interface voice
dhcpd option 242 ascii L2QVLAN=16,HTTPSRVR=10.81.
dhcpd enable voice
!
dhcpd address 10.89.102.101-10.89.102.20
dhcpd dns 8.8.8.8 4.2.2.2 interface wireless
dhcpd option 3 ip 10.89.102.1 interface wireless
dhcpd enable wireless
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server ki-adc2 source inside prefer
ssl trust-point ASDM_TrustPoint4 outside
ssl trust-point ASDM_TrustPoint4 wireless
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
inspect pptp
inspect sip
class class-default
user-statistics accounting
policy-map 1433-Allow
class outside-class
set connection conn-max 100 embryonic-conn-max 100
!
service-policy global_policy global
### Dell PowerConnect
vlan database
vlan 22
interface ethernet g1
switchport mode trunk
switchport trunk allowed vlan add 22
interface ethernet g2
switchport access vlan 22
names
name 10.81.14.10 clearchannel1
name 10.81.14.17 clearchannel2
name 10.81.14.16 clearchannel3
name 10.81.15.0 clearchannelnet2
name 10.81.14.0 clearchannelnet1
name 10.89.103.224 vpn-phones
name x.x.72.78 outside-nat-x.x.72.78
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.89.101.2 255.255.255.0
!
interface Ethernet0/0.16
vlan 16
nameif voice
security-level 100
ip address 10.89.103.2 255.255.255.0
!
interface Ethernet0/1
no nameif
no ip address
!
interface Ethernet0/1.22
vlan 22
nameif Storage
ip address 10.95.22.1 255.255.255.0
!
interface Ethernet0/2
nameif wireless
security-level 10
ip address 10.89.102.2 255.255.255.0
!
interface Ethernet0/3
nameif outside
security-level 0
ip address x.x.72.77 255.255.255.240
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup voice
dns domain-lookup wireless
dns domain-lookup outside
dns domain-lookup management
access-list outside_cryptomap_1 extended permit ip interface outside object-group E-network
access-list inside_nat0_outbound extended permit ip 10.89.101.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip 10.89.101.0 255.255.255.0 object K-network
access-list inside_nat0_outbound extended permit ip 10.89.101.0 255.255.255.0 object-group clearchannel
access-list inside_nat0_outbound extended permit ip 10.89.101.0 255.255.255.0 object ofs-vpn-gateway
access-list sslvpn_client_unrestricted
access-list outside_nat_outbound extended permit ip object sslvpn-client-network object-group MS-remote-networks
access-list sslvpn_tunnelednetworks remark Internal network
access-list sslvpn_tunnelednetworks standard permit 10.89.101.0 255.255.255.0
access-list sslvpn_tunnelednetworks remark D server network
access-list sslvpn_tunnelednetworks standard permit 172.23.35.0 255.255.255.0
access-list sslvpn_tunnelednetworks remark B office network
access-list sslvpn_tunnelednetworks standard permit 192.168.0.0 255.255.255.0
access-list sslvpn_tunnelednetworks remark E
access-list sslvpn_tunnelednetworks standard permit 192.168.89.0 255.255.255.0
access-list sslvpn_tunnelednetworks remark E
access-list sslvpn_tunnelednetworks standard permit 192.168.250.0 255.255.254.0
access-list sslvpn_client_F extended permit ip object sslvpn-client-network object-group F
access-list sslvpn_client_F extended permit object-group TCPUDP object sslvpn-client-network object-group sslvpn-dns-servers eq domain
access-list sslvpn_client_F remark Test-TEST
access-list sslvpn_client_F extended permit object-group TCPUDP object sslvpn-client-network object D-server-network
access-list outside_cryptomap extended permit ip 10.89.101.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_nat_outbound_1 extended permit ip object sslvpn-client-network 10.89.101.0 255.255.255.0
access-list outside_nat_outbound_1 extended permit ip object sslvpn-client-network object-group MS-remote-networks
access-list inside_nat_static extended permit tcp object files.MS.net-internal eq https any
access-list sslvpn_R_only extended permit ip object sslvpn-client-network 10.89.101.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.89.101.0 255.255.255.0 object K-network
access-list sslvpn_tunneled_Ronly remark Internal network
access-list sslvpn_tunneled_Ronly standard permit 10.89.101.0 255.255.255.0
access-list sslvpn_tunneled_Ronly remark D Network
access-list sslvpn_tunneled_Ronly standard permit 172.23.35.0 255.255.255.0
access-list sslvpn_tunneled_Ronly remark VPN Network
access-list sslvpn_tunneled_Ronly standard permit 172.23.36.0 255.255.255.0
access-list dmz_access_in extended permit ip object skles03 object D-skles-cnx
access-list inside_nat_static_1 extended permit tcp object w2k3iis-01.internal eq 81 object web-services-client
access-list inside_nat_outbound extended permit ip 10.89.101.0 255.255.255.0 172.23.33.0 255.255.255.0
access-list inside_nat_outbound extended permit ip object-group MS-remote-networks object sslvpn-client-network
access-list VPN-D extended permit object-group DM_INLINE_SERVICE_5 host 172.23.35.0 host 172.23.35.0
access-list vpnphone_tunneled standard permit any
access-list vpnphone extended permit ip object vpn-phones object-group clearchannel
access-list vpnphone extended permit ip object vpn-phones 10.89.103.0 255.255.255.0
access-list vpnphone extended permit ip object vpn-phones object B-voice-network
access-list voice_nat0_outbound extended permit ip object-group clearchannel object vpn-phones
access-list voice_nat0_outbound extended permit ip 10.89.103.0 255.255.255.0 object vpn-phones
access-list voice_access_in extended deny ip 10.89.103.0 255.255.255.0 object-group MS-all-networks
access-list voice_access_in extended permit ip 10.89.103.0 255.255.255.0 any
access-list voice_access_in extended permit ip object B-voice-network object vpn-phones
access-list voice_access_in extended permit ip object-group clearchannel object vpn-phones
access-list voice_access_in extended permit ip object-group clearchannel object TASKGSRV
access-list outside_nat0_outbound_1 extended permit ip object vpn-phones object-group clearchannel
access-list outside_nat0_outbound_1 extended permit ip object vpn-phones 10.89.103.0 255.255.255.0
access-list sslvpn_client_callcopy extended permit ip object sslvpn-client-network object-group CALLCOPY
access-list sslvpn_client_callcopy extended permit object-group TCPUDP object sslvpn-client-network object-group sslvpn-dns-servers eq domain
access-list sslvpn_E extended permit ip object sslvpn-client-network object-group E-network
access-list outside_cryptomap_5 extended permit ip object skles03 object D-skles-cnx
access-list outside_cryptomap_5 extended permit ip object sslvpn-client-network object D-server-network
access-list inside_nat_static_3 extended permit tcp object demo.MS.net-internal eq 3389 any
access-list inside_nat_static_4 extended permit udp object demo.MS.net-internal eq 3389 any
access-list outside_access_in extended permit ip object sslvpn-client-network object-group MS-all-networks
access-list outside_access_in extended permit ip object-group MS-remote-networks 10.89.101.0 255.255.255.0
access-list outside_access_in extended permit ip object D-skles-cnx object skles03
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object sslvpn-client-network object-group MS-all-networks
access-list outside_access_in extended permit ip object sslvpn-client-network object-group E-network
access-list outside_access_in extended permit tcp any object files.MS.net-internal eq https
access-list outside_access_in remark Migration, ACE (line 6) expanded: permit object-group TCPUDP any host outside-nat-107.1.72.78 eq
access-list outside_access_in extended permit udp any object demo.MS.net-internal eq 3389
access-list outside_access_in extended permit tcp any object demo.MS.net-internal eq 3389
access-list outside_access_in remark Migration: End of expansion
access-list outside_access_in extended permit tcp object web-services-client object w2k3iis-01.internal eq 81
access-list outside_access_in extended permit tcp any object project.MS.net-internal object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit object MSSQL-DB any object obj-10.89.101.214
access-list outside_access_in extended permit udp object-group site-to-site-vpn-tunnel-pe
access-list outside_access_in extended permit object ipsec-nat-t object-group site-to-site-vpn-tunnel-pe
access-list outside_access_in extended permit ah object-group site-to-site-vpn-tunnel-pe
access-list outside_access_in extended permit esp object-group site-to-site-vpn-tunnel-pe
access-list outside_access_in extended permit ip object-group OFS 10.89.101.0 255.255.255.0 inactive
access-list outside_access_in extended permit object-group TCPUDP object-group OFS object-group sslvpn-dns-servers eq domain inactive
access-list outside_access_in extended permit tcp object-group OFS object ki-nas object-group windows-file-sharing inactive
access-list outside_access_in extended permit ip object vpn-phones object-group clearchannel
access-list outside_access_in extended permit ip object vpn-phones 10.89.103.0 255.255.255.0
access-list outside_access_in extended permit ip object vpn-phones object B-voice-network
access-list outside_access_in extended permit tcp object ofs-vpn-gateway 10.89.101.0 255.255.255.0 object-group DM_INLINE_TCP_1 inactive
access-list outside_access_in extended permit icmp object ofs-vpn-gateway 10.89.101.0 255.255.255.0 echo inactive
access-list outside_access_in remark Migration: End of expansion
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list outside_cryptomap_6 extended permit ip 10.89.101.0 255.255.255.0 object B-internal-network
access-list outside_mpc extended permit tcp any object obj-x.x.72.76 eq 1433
access-list sslvpn_unrestricted remark D Network
access-list sslvpn_unrestricted standard permit 172.23.35.0 255.255.255.0
access-list sslvpn_unrestricted remark VPN
access-list sslvpn_unrestricted standard permit 192.168.0.0 255.255.255.0
access-list sslvpn_unrestricted remark Internal Network
access-list sslvpn_unrestricted standard permit 10.89.101.0 255.255.255.0
access-list sslvpn_split_MS standard permit 10.89.101.0 255.255.255.0
access-list sslvpn_split_MS standard permit 172.23.35.0 255.255.255.0
access-list sslvpn_split_MS standard permit 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 any 10.89.102.0 255.255.255.0 inactive
access-list ssltsi_remoterestriction remark Deny
access-list ssltsi_remoterestriction standard deny 10.89.101.0 255.255.255.0
access-list ssltsi_remoterestriction remark Remote Host
access-list ssltsi_remoterestriction standard permit host 10.89.101.217
pager lines 24
logging enable
logging buffer-size 1000000
logging buffered debugging
logging trap warnings
logging asdm informational
logging host inside 10.89.101.217 format emblem
mtu inside 1500
mtu voice 1500
mtu dmz 1500
mtu wireless 1500
mtu outside 1500
mtu management 1500
ip local pool sslvpn_ip_pool 172.23.36.1-172.23.36.100 mask 255.255.255.0
ip local pool vpnphone 10.89.103.193-10.89.103.25
ip verify reverse-path interface inside
ip verify reverse-path interface voice
ip verify reverse-path interface wireless
ip verify reverse-path interface outside
ip verify reverse-path interface management
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-10.89.101.0 obj-10.89.101.0 destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 route-lookup
nat (inside,outside) source static obj-10.89.101.0 obj-10.89.101.0 destination static sslvpn-client-network sslvpn-client-network route-lookup
nat (inside,any) source static obj-10.89.101.0 obj-10.89.101.0 destination static obj-10.89.102.0 obj-10.89.102.0 no-proxy-arp
nat (inside,voice) source static obj-10.89.101.0 obj-10.89.101.0 destination static obj-10.89.103.0 obj-10.89.103.0 no-proxy-arp
nat (inside,any) source static obj-10.89.101.0 obj-10.89.101.0 destination static K-network K-network no-proxy-arp
nat (inside,any) source static obj-10.89.101.0 obj-10.89.101.0 destination static clearchannel clearchannel no-proxy-arp
nat (inside,any) source static obj-10.89.101.0 obj-10.89.101.0 destination static OFS OFS no-proxy-arp inactive
nat (inside,outside) source static files.MS.net-internal outside-nat-107.1.72.78 service obj-tcp-source-eq-443 obj-tcp-source-eq-443
nat (inside,outside) source static w2k3iis-01.internal outside-nat-107.1.72.78 destination static web-services-client web-services-client service obj-tcp-source-eq-81 obj-tcp-source-eq-80
nat (inside,outside) source static demo.MS.net-internal outside-nat-107.1.72.78 service obj-tcp-source-eq-3389 obj-tcp-source-eq-3389
nat (inside,outside) source static demo.MS.net-internal outside-nat-107.1.72.78 service obj-udp-source-eq-3389 obj-udp-source-eq-3389
nat (inside,outside) source static project.MS.net-internal project.MS.net-external service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (inside,outside) source static project.MS.net-internal project.MS.net-external service obj-tcp-source-eq-443 obj-tcp-source-eq-443
nat (inside,outside) source static obj-10.89.101.214 obj-10.89.101.214 service MSSQL-DB MSSQL-DB
nat (inside,dmz) source dynamic obj-10.89.101.0 interface destination static obj-172.23.33.0 obj-172.23.33.0
nat (voice,inside) source static clearchannel clearchannel destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,inside) source static obj-10.89.103.0 obj-10.89.103.0 destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,voice) source static clearchannel clearchannel destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,voice) source static obj-10.89.103.0 obj-10.89.103.0 destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,outside) source static clearchannel clearchannel destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,outside) source static obj-10.89.103.0 obj-10.89.103.0 destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (voice,outside) source static B-voice-network B-voice-network destination static vpn-phones vpn-phones no-proxy-arp route-lookup
nat (outside,inside) source static vpn-phones vpn-phones destination static clearchannel clearchannel no-proxy-arp route-lookup
nat (outside,inside) source static vpn-phones vpn-phones destination static obj-10.89.103.0 obj-10.89.103.0 no-proxy-arp route-lookup
nat (outside,voice) source static vpn-phones vpn-phones destination static clearchannel clearchannel no-proxy-arp route-lookup
nat (outside,voice) source static vpn-phones vpn-phones destination static obj-10.89.103.0 obj-10.89.103.0 no-proxy-arp route-lookup
nat (outside,outside) source static vpn-phones vpn-phones destination static clearchannel clearchannel no-proxy-arp route-lookup
nat (outside,outside) source static vpn-phones vpn-phones destination static obj-10.89.103.0 obj-10.89.103.0 no-proxy-arp route-lookup
nat (outside,voice) source static vpn-phones vpn-phones destination static B-voice-network B-voice-network no-proxy-arp route-lookup
nat (outside,inside) source dynamic sslvpn-client-network interface destination static obj-10.89.101.0 obj-10.89.101.0
nat (outside,inside) source static project.MS.net-external obj-107.1.72.76 destination static obj-10.89.101.214 obj-10.89.101.214 service MSSQL-DB MSSQL-DB
nat (outside,outside) source static any any destination static sslvpn-client-network sslvpn-client-network route-lookup
nat (inside,outside) source static any any destination static sslvpn-client-network sslvpn-client-network no-proxy-arp route-lookup
nat (outside,outside) source static sslvpn-client-network sslvpn-client-network destination static D-server-network D-server-network no-proxy-arp route-lookup
!
object network obj-10.89.101.0
nat (inside,outside) dynamic interface
object network sslvpn-client-network
nat (outside,inside) dynamic interface
object network obj-10.89.103.0
nat (voice,outside) dynamic interface
object network obj-10.89.102.0
nat (wireless,outside) dynamic interface
object network obj-x.x.72.76
nat (outside,inside) static obj-10.89.101.214 service tcp 1433 1433
access-group inside_access_in in interface inside
access-group voice_access_in in interface voice
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.72.65 1
route voice clearchannelnet1 255.255.255.0 10.89.103.1 1
route voice clearchannel1 255.255.255.255 10.89.103.1 1
route voice clearchannel2 255.255.255.255 10.89.103.1 1
route voice clearchannelnet2 255.255.255.0 10.89.103.1 1
route voice 10.89.100.0 255.255.255.0 10.89.103.1 1
route outside x.x.72.76 255.255.255.255 x.x.72.65 1
user-identity default-domain LOCAL
no user-identity inactive-user-timer
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp dmz
sysopt noproxyarp wireless
sysopt noproxyarp management
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 60
ssh version 2
console timeout 5
management-access inside
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-
dhcpd address 10.89.103.11-10.89.103.100
dhcpd dns x.x.73.246 x.x.71.230 interface voice
dhcpd option 3 ip 10.89.103.1 interface voice
dhcpd option 242 ascii L2QVLAN=16,HTTPSRVR=10.81.
dhcpd enable voice
!
dhcpd address 10.89.102.101-10.89.102.20
dhcpd dns 8.8.8.8 4.2.2.2 interface wireless
dhcpd option 3 ip 10.89.102.1 interface wireless
dhcpd enable wireless
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server ki-adc2 source inside prefer
ssl trust-point ASDM_TrustPoint4 outside
ssl trust-point ASDM_TrustPoint4 wireless
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
inspect pptp
inspect sip
class class-default
user-statistics accounting
policy-map 1433-Allow
class outside-class
set connection conn-max 100 embryonic-conn-max 100
!
service-policy global_policy global
### Dell PowerConnect
vlan database
vlan 22
interface ethernet g1
switchport mode trunk
switchport trunk allowed vlan add 22
interface ethernet g2
switchport access vlan 22
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
please add the following
icmp permit any Storage
that is what will allow you to ping the Storage interface's IP address from anything off that interface. You can do the same for other interfaces if you really want to. I thought you said you added that but I'm not seeing it. Correct me if I'm wrong.
also, add a security level to the Storage interface. since you don't have an ACL applied to it, it will most likely block everything trying to go thru it, unless that is what you want, but then I'd add a security level 0 anyway or an explicit ACL to ensure it blocks everything.
icmp permit any Storage
that is what will allow you to ping the Storage interface's IP address from anything off that interface. You can do the same for other interfaces if you really want to. I thought you said you added that but I'm not seeing it. Correct me if I'm wrong.
also, add a security level to the Storage interface. since you don't have an ACL applied to it, it will most likely block everything trying to go thru it, unless that is what you want, but then I'd add a security level 0 anyway or an explicit ACL to ensure it blocks everything.
ASKER
I did have it in there, sorry I didn't include that. Isn't a security level of 10 supposed to let a security-level of 100 access? There are no ACL's for 10.89.102.2 (wireless).
packet-tracer input Storage tcp 10.95.22.1 4444 10.89.102.$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae338ad8, priority=1, domain=permit, deny=false
hits=86, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Storage, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.89.102.2 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb02c8958, priority=500, domain=permit, deny=true
hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.95.22.1, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Storage, output_ifc=any
Result:
input-interface: Storage
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
packet-tracer input Storage tcp 10.95.22.1 4444 10.89.102.$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae338ad8, priority=1, domain=permit, deny=false
hits=86, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Storage, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.89.102.2 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb02c8958, priority=500, domain=permit, deny=true
hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.95.22.1, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Storage, output_ifc=any
Result:
input-interface: Storage
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASKER
So, problem solved. I swapped out the powerconnect for a catalyst and the trunk works :)
I just need to get the storage vlan to be able to go out the internet. I am successfully pinging the 10.95.22.1 ip on vlan 22 on the ASA.
I just need to get the storage vlan to be able to go out the internet. I am successfully pinging the 10.95.22.1 ip on vlan 22 on the ASA.
ASKER
I added my nat statements for that subnet and internet traffic is flowing :)
So at this point I would just create nat statements and acl's to allow traffic between vlan's?
So at this point I would just create nat statements and acl's to allow traffic between vlan's?
ok, thanks for the sanity confirmation. i knew it had to be a trunking issue and not an ACL issue.
When it comes to allowing traffic THRU the firewall, there are mainly 2 rules to know.
1) no ACL applied to the interface (direction matters as well, but normally there are only inbound rules applied) means security-levels are used by default. High to low is allowed. if same then same-security inter interface must be configured.
2) if interface ACLs are applied then those matter
global ACLs change it a little, but unless you have a true need for them, stay away from them.
the second part is nat. yes, you need some type of translation rule. if one is not applied, not translation is done.
When it comes to allowing traffic THRU the firewall, there are mainly 2 rules to know.
1) no ACL applied to the interface (direction matters as well, but normally there are only inbound rules applied) means security-levels are used by default. High to low is allowed. if same then same-security inter interface must be configured.
2) if interface ACLs are applied then those matter
global ACLs change it a little, but unless you have a true need for them, stay away from them.
the second part is nat. yes, you need some type of translation rule. if one is not applied, not translation is done.
The problem is 99% acl related