ASA 5506 issue

wwbarnes — Sat, 22 Feb 2020 07:34:38 GMT

I have a very simple configuration; however, the two same security level interfaces cannot talk to each other. I have had a TAC case open for 2+ weeks and I’m at the point of frustration. Should I blow the configuration away and try again? Everything I read says that I have the command to be able to talk between the two same security interfaces, but it doesn’t work. Did NAT/PAT mess up? I’m hoping someone can help me solve this one, and if not, does write erase effect any of my firepower lic.?

thanks

: Saved

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

ASA Version 9.8(1)

hostname BillsASAhome

enable password $

names

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address dhcp setroute

interface GigabitEthernet1/2

nameif insidewired

security-level 100

ip address 192.168.1.1 255.255.255.0

interface GigabitEthernet1/3

nameif eeroWIFI

security-level 100

ip address 192.168.7.2 255.255.255.0

interface GigabitEthernet1/4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/5

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/6

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/7

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/8

shutdown

nameif

security-level 100

ip address dhcp setroute

interface Management1/1

management-only

no nameif

no security-level

no ip address

boot system disk0:/asa981-lfbff-k8.SPA

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object udp

protocol-object tcp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object udp

service-object tcp

service-object udp destination eq www

access-list eeroWIFI_access_in remark test

access-list eeroWIFI_access_in extended permit object-group DM_INLINE_SERVICE_1 any object obj_any

access-list eeroWIFI_access_in extended permit object-group TCPUDP any4 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu eeroWIFI 1500

mtu eeroWifi2 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-781.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

object network obj_any

nat (any,outside) dynamic interface

nat (eeroWIFI,outside) after-auto source dynamic any interface

access-group eeroWIFI_access_in in interface eeroWIFI

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint _SmartCallHome_ServerCA

no validation-usage

crl configure

crypto ca trustpool policy

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a

183f685c f2424a85 3854835f d1e82cf2 ac11d6a8 ed636a

quit

telnet timeout 5

no ssh stricthostkeycheck

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcp-client client-id interface eeroWifi2

dhcpd auto_config outside

dhcpd address 192.168.1.5-192.168.1.254 inside

dhcpd enable inside

dhcpd address 192.168.7.10-192.168.7.254 eeroWIFI

dhcpd enable eeroWIFI

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

service call-home

call-home reporting anonymous

call-home

contact-email-addr william.w.barnes2.ctr@mail.mil

profile CiscoTAC-1

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6288f85add5f4cd8595239f3d0fcb1be

: end

Re: ASA 5506 issue

GRANT3779 — Tue, 22 Aug 2017 14:30:52 GMT

Have you tested by removing the ACL you have attached Inbound on the wifi interface? Test connectivity by removing it.
no access-group eeroWIFI_access_in in interface eeroWIFI
Should traffic be able to flow freely between the Interfaces?
Either way, you will know if it is the ACL causing problems and can then look at tweaking it.

Re: ASA 5506 issue

wwbarnes — Tue, 22 Aug 2017 15:33:43 GMT

I will try that tonight, thank you!

Re: ASA 5506 issue

wwbarnes — Tue, 22 Aug 2017 16:07:40 GMT

Also, yes, goal on this one is for traffice to flow freely between both interfaces.

Re: ASA 5506 issue

wwbarnes — Tue, 22 Aug 2017 23:05:39 GMT

OK, that did nothing to help, but at least it was a try. I still can ping nothing or reach anything from one subnet to the other.

Re: ASA 5506 issue

wwbarnes — Tue, 22 Aug 2017 23:36:11 GMT

hold the phone, I can now ping other equipment on the eeroWIFI. I think we have it, not sure why it took a min to work, but it's working. I'll try agin in morning and make sure.

Thanks

Re: ASA 5506 issue

wwbarnes — Wed, 23 Aug 2017 13:29:13 GMT

We are good to go, thank you! We can close this one.

Re: ASA 5506 issue

GRANT3779 — Wed, 23 Aug 2017 14:21:42 GMT

Hi,
Glad you have it working.
You can accept the answer as the solution via the discussion. This will mark it as answered.
Thanks

topic ASA 5506 issue in Network Security

ASA 5506 issue

Re: ASA 5506 issue

Re: ASA 5506 issue

Re: ASA 5506 issue

Re: ASA 5506 issue

Re: ASA 5506 issue

Re: ASA 5506 issue

Re: ASA 5506 issue