Link to home
Start Free TrialLog in
Avatar of Member_2_7970364

asked on

Cisco ASA not routing


I have 3 networks on my ASA  internals = 10.0.1.x and 10.0.9.x  with a guest network on 192.168.x.x

I want the 2 internal networks to be able to communicate with each other ...  (obviouslly I want the guest network to be totally separate and not have any inter network communication)

I have tried loads of commands but I cant seem to get the 10.0.9.x network to pass traffic to 10.0.1.x and vice versa

PLEASE can anyone help !!!

I tried with this but it didn't work :

access-list server_access extended permit ip host
access-list server_access extended permit ip any any
access-group server_access in int linnaeus
access-list linnaeus_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
nat (linnaeus) 0 access-list linnaeus_nat0_outbound
access-list linnaeus_server_access extended permit ip host
access-list linnaeus_server_access extended permit ip any any
access-group linnaeus_server_access in int inside

Below is the original config:

interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 22
interface Ethernet0/3
interface Ethernet0/4
switchport access vlan 12
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address
interface Vlan12
nameif public-wifi
security-level 100
ip address
interface Vlan22
nameif linnaeus
security-level 100
ip address
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name willows.local
object-group network EPA
description Email Systems IP Ranges
network-object EPA3
network-object EPA1
network-object EPA2
network-object EPA9
network-object EPA10
network-object EPA11
network-object EPA12
network-object EPA4
network-object EPA8
network-object EPA5
network-object EPA6
network-object EPA7
object-group service RDP tcp
description Remote Desktop
port-object eq 3386
object-group service VNC tcp
description VNC Viewer
port-object eq 3386
port-object eq 3387
port-object eq 3388
port-object eq 3389
object-group network Fuji
network-object host FUJI2
network-object host FUJI
network-object host FUJI3
network-object host curtis
object-group network EPA-LDAP
description LDAP auth for EPA
network-object host
network-object host
network-object host
network-object host
network-object host
network-object ldaps-1
network-object LDAPS-2
network-object LDAPS-3
network-object LDAPS-4
network-object MIKETEST
object-group service rdp2 tcp
group-object RDP
port-object eq 3385
port-object eq https
object-group service r3389 tcp
port-object eq 3389
object-group service https_and_6001 tcp
port-object eq 6001
port-object eq 6002
port-object eq 6003
port-object eq 6004
port-object eq https
object-group service fujIrequest tcp
port-object eq 2837
port-object eq 2861
port-object eq 2876
port-object eq 2898
port-object eq 3011
port-object eq 3030
port-object eq 5900
port-object eq 3387
object-group service oayrollpc tcp
description payrollpc
port-object eq 3375
object-group service port1433 tcp
port-object eq 1433
object-group service port1433single
service-object tcp eq 1433
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq www
service-object tcp eq https
access-list outside_access_in remark Allow SMTP access from EPA
access-list outside_access_in extended permit tcp object-group EPA host eq smtp
access-list outside_access_in remark Allow LDAPS access from EPA
access-list outside_access_in extended permit tcp object-group EPA-LDAP eq ldaps
access-list outside_access_in extended permit tcp object-group EPA-LDAP eq ldap inactive
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any host object-group r3389
access-list outside_access_in extended permit tcp any host object-group r3389
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any
access-list outside_access_in remark VPN
access-list outside_access_in extended permit gre any
access-list outside_access_in remark Fuji RDP access to Synapse Server
access-list outside_access_in extended permit ip object-group Fuji
access-list outside_access_in remark GE
access-list outside_access_in extended permit udp host host eq isakmp
access-list outside_access_in extended permit tcp any eq pptp
access-list outside_access_in extended permit gre any host
access-list outside_access_in extended permit tcp any object-group fujIrequest
access-list outside_access_in extended permit tcp any object-group oayrollpc inactive
access-list outside_access_in extended permit tcp any host object-group port1433 inactive
access-list outside_access_in extended permit tcp any eq 1433
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound remark VLAN6
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip any
access-list outside_2_cryptomap extended permit ip
access-list public-wifi_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu public-wifi 1500
mtu linnaeus 1500
ip local pool VPN mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
nat (public-wifi) 1
nat (linnaeus) 1
static (inside,outside) tcp 3389 WillowsTS 3389 netmask
static (linnaeus,outside) tcp 3389 3389 netmask
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group public-wifi_access_in in interface public-wifi
route outside 1
route inside 1
route inside 1
route inside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http inside
http inside
http inside
Avatar of rauenpc
Flag of United States of America image

Start with permitting same-security traffic. For you, this should probably be inter-interface as opposed to intra-interface.

Also, I don't think you need an ACL on the interfaces to allow this traffic, but if you put an acl on the interface for something else, you might need to permit interface to interface traffic so that you don't hit the implicit deny all at the end of the ACL. Be careful of NAT as well to make sure you don't translate traffic between those interfaces.
Avatar of Member_2_7970364


thanks - this does not work (this was my 1st plan) ...
Looks like a ASA 5505? On base license or security plus license? Can you send a show version output? Also, you might consider updating your firmware to something more current. Looks like you're using firmware pre 8.3.x.

What you're asking to do should be as simple as making sure the two internal VLANs are set with the same security level and then add the same-security-traffic permit inter command.

How is routing being handled from end device to end device? If two end hosts use the ASA as a default gateway, your configuration and possibly the addition of the same-security command should work. However, If one end host has a default gateway of an L3 switch, and the other host uses the ASA, we could experience asymmetric routing. This could happen if the L3 switch also has both subnets configured for the end hosts in question. In one direction, the host goes to the L3 switch, and that will route traffic directly to the other host. The opposite direction, however, would first go to the ASA, then to the L3 switch.

Also, I don't see a nat exemption for traffic going between those interfaces. The exemption needs to happen both directions.

The Cisco ASA platform uses "same-security-traffic" to replace the need for NAT/ACLs in cases like these. There is likely a license issue on the ASA or something irregular about how the present older firmware handles this function.

I think if this were the base license, putting in a third interface would require you to add the command 'no forward interface X'.

Regardless, the author can fill us in on the license level and we'll know if this is an issue.
we are on an old version of firmware but i dont have the login to get the newer firmware ..

the show ver presents this:
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

WILLOWS-FW up 20 days 11 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

 0: Int: Internal-Data0/0    : address is 5087.899f.1bec, irq 11
 1: Ext: Ethernet0/0         : address is 5087.899f.1be4, irq 255
 2: Ext: Ethernet0/1         : address is 5087.899f.1be5, irq 255
 3: Ext: Ethernet0/2         : address is 5087.899f.1be6, irq 255
 4: Ext: Ethernet0/3         : address is 5087.899f.1be7, irq 255
 5: Ext: Ethernet0/4         : address is 5087.899f.1be8, irq 255
 6: Ext: Ethernet0/5         : address is 5087.899f.1be9, irq 255
 7: Ext: Ethernet0/6         : address is 5087.899f.1bea, irq 255
 8: Ext: Ethernet0/7         : address is 5087.899f.1beb, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8        
VLANs                          : 20, DMZ Unrestricted
Inside Hosts                   : Unlimited
Failover                       : Active/Standby
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
SSL VPN Peers                  : 2        
Total VPN Peers                : 25        
Dual ISPs                      : Enabled  
VLAN Trunk Ports               : 8        
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled  
AnyConnect for Cisco VPN Phone : Disabled  
AnyConnect Essentials          : Disabled  
Advanced Endpoint Assessment   : Disabled  
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled  

This platform has an ASA 5505 Security Plus license.

Serial Number: JMX1826Z0Q4
Running Activation Key: 0xbc1cc444 0x401d91bb 0x9c22a9bc 0x91c0ccf4 0xce2c38b9
Configuration register is 0x3
Configuration last modified by admin at 18:54:59.846 GMT/BDT Thu Sep 1 2016

any idea how I can get the latest version ?
Is that a full config?

Please remove the config you put in the first post, enable same security traffic communication (same-security-traffic permit inter-interface).

1. Start a continuous ping from 10.0.9.x to 10.0.1.x (substitute x in the last octet with the live host's on both networks).
2. Open ASDM, go to Monitoring, logging and make sure logging level is debugging and click view. In filter by enter the source IP address 10.0.9.x and then click filter.
Do you see the traffic from 10.0.9.x?
Is it being denied? Passed through? What do the messages say?
If you don't see the traffic than you need to check your routing.

packet-tracer shows that it's hitting the global NAT and dropping, which is unexpected behavior. The next step is to get this ASA on more current firmware. That's what the author is working on.

I would like to see either logs or the result from the packet tracer. With nat control communication between interfaces with the same security level is allowed without NAT.
In the original post, there was a blurb about some attempted ACL's, and then the original configuration was posted. could we get a current [scrubbed] running config? Also, post the results of running two packet tracer commands, replacing the x's with IP's of two valid hosts:

packet-tracer input inside icmp 10.0.1.x 8 0 10.0.9.x
packet-tracer input linnaeus icmp 10.0.9.x 8 0 10.0.1.x

packet-tracer is showing the packet dropped by the global NAT appropriate to each interface when running from both networks. There is nothing from a configuration standpoint that should be causing this. This is an unexpected behavior and likely a bug in the firmware. The author is set to upgrade the firmware to 9.2.x asap, and then test again.

Avatar of Member_2_7970364

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You shouldn't view the commands you implemented as a workaround; they are necessary for the setup to work. This is due to how NAT is handled on older firmware.

nat (inside) 1

That commands tells the firewall that all traffic from the inside interface should be translated to :

global (outside) 1 interface

That means that all traffic is translated to the public ip address regardless of where it is routed to. This is expected behavior.

In the newer versions you can also easily designate the destination, giving you more granular control.

The behavior is therefore expected, and the bit you put in with the nat0 access-lists tells the firewall to bypass NAT for that type of traffic.

Regarding DHCP, you shouldn't worry about it. DHCP uses broadcasts and is therefore filtered out by the firewall when trying to cross zones. You don't need to do anything to prevent it.
On newer firmware, I don't believe you would have had to enter that NAT configuration.

Your global dynamic NAT would be something like:

object network NET_INSIDE
object network NET_LINNAEUS
object network NET_INSIDE
 nat (inside,outside) dynamic interface
object network NET_LINNAEUS
 nat (linnaeus,outside) dynamic interface

All you'd need to do is issue the same-security-traffic permit inter-interface, and since both trusted LANs are security level 100 there would be nothing else to do.

It's a much easier, cleaner way of managing things, in my opinion, which is why I was motivating you to update the system software.