topic Re: Problem communication between two private network Cisco ASA in Network Security

Problem communication between two private network Cisco ASA

Beaurr — Tue, 15 Feb 2022 14:05:05 GMT

hello,

I have an ASA

with 3 interfaces configured

INSIDE ( 10.40.1.0) on Gi/2
OUTSIDE ( 10.0.0.0) on Gi/1
BIO ( 10.0.2.0) on Gi/3

Interface 3 was added by me.

I want INSIDE and BIO to communicate in FTP and ICMP in both directions.

The ASA already had an outside interface. Communication between INSIDE and OUTSIDE works (for FTP and ICMP).
I didn't originally install the ASA. OUTSIDE is connected to a router (202). It was installed by an outside contractor because in addition to the PC there is a medical analyzer.
The ASA was installed and configured by a colleague a few years ago.
I was asked to install a 3rd subnet (10.0.2.0) and to communicate, in FTP and ICMP (in both directions) between INSIDE and BIO (no need for OUTSIDE and BIO to communicate).

I don't want to modify the already existing part between INSIDE and OUTSIDE, this one is in production and functional.

But the communications between INSIDE and BIO do not work.

For my test, Gi/3 (BIO) is connected directly to a computer with the following configuration:
10.0.2.10
255.255.255.0
10.0.2.254

The configuration :

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.0.1.254 255.255.255.0 standby 10.0.1.208
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.40.1.249 255.255.255.0 standby 10.40.1.208
!
interface GigabitEthernet1/3
nameif bio
security-level 50
ip address 10.0.2.254 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description LAN/STATE Failover Interface
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!

object network obj_any
subnet 0.0.0.0 0.0.0.0
object network DIPLABO
host 10.40.1.5
object network 10.0.0.201
host 10.0.0.201
object network 10.0.2.254
host 10.0.2.254
description Reseau BIO
object network 10.0.1.251
host 10.0.1.251
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object tcp destination eq ftp

access-list inside_access remark permission ftp diplabo vers automate
access-list inside_access extended permit tcp 10.40.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq ftp
access-list inside_access remark Permission ping diplabo vers automate
access-list inside_access extended permit icmp 10.40.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_access remark Permission ping DIPLABO vers automate + PC1 et PC2 TEMPO
access-list inside_access extended permit ip 10.40.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list inside_access extended permit icmp 10.40.1.0 255.255.255.0 host 10.0.1.252
access-list inside_access extended permit icmp 10.40.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_access extended permit icmp 10.40.1.0 255.255.255.0 host 10.0.1.253
access-list inside_access extended permit object-group DM_INLINE_SERVICE_3 10.40.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list inside_access remark permission ftp diplabo == automate
access-list inside_access remark Permission ping diplabo == automate
access-list outside_access_in remark permission ftp automate == diplabo
access-list outside_access_in extended permit tcp 10.0.0.0 255.255.255.0 10.40.1.0 255.255.255.0 eq ftp
access-list outside_access_in remark permission ping automate == diplabo
access-list outside_access_in extended permit icmp 10.0.0.0 255.255.255.0 10.40.1.0 255.255.255.0
access-list outside_access_in extended permit icmp 10.0.1.0 255.255.255.0 10.40.1.0 255.255.255.0
access-list outside_access_in extended permit icmp 10.0.0.0 255.255.255.0 host 10.0.1.254
access-list outside_access_in remark permission ftp automate vers diplabo
access-list outside_access_in remark permission ping automate == diplabo
access-list inside_nat0_outbound extended permit ip object DIPLABO any4
access-list bio_access_in remark Accès reseau Biomerieux en PING + FTP pour diplabo
access-list bio_access_in extended permit object-group DM_INLINE_SERVICE_1 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list bio_access_in extended permit ip 10.0.2.0 255.255.255.0 10.40.1.0 255.255.255.0
....

arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,any) source static DIPLABO DIPLABO no-proxy-arp
!
object network obj_any
nat (any,outside) dynamic interface
!
access-group outside_access_in in interface outside
access-group inside_access in interface inside
access-group bio_access_in in interface bio
route inside 0.0.0.0 0.0.0.0 10.40.1.254 1
route outside 10.0.0.1 255.255.255.255 10.0.0.201 1
route outside 10.0.0.10 255.255.255.255 10.0.1.252 1
route outside 10.0.1.5 255.255.255.255 10.0.1.251 1
route inside 10.39.1.0 255.255.255.0 10.40.1.254 1
route inside 10.239.11.0 255.255.255.0 10.40.1.254 1

I'm not very familiar with that. Nate problem? Access List? Routing?

Thanks for your help

Re: Problem communication between two private network Cisco ASA

Rob Ingram — Tue, 15 Feb 2022 14:18:00 GMT

@Beaurr you are going to need a NAT exemption rule between your DMZ and INSIDE network.

Run packet-tracer from the CLI to simulate the traffic and provide the output for review.

You should also look to add the standby IP address to GigabitEthernet1/3.

Re: Problem communication between two private network Cisco ASA

Beaurr — Tue, 15 Feb 2022 14:57:07 GMT

packet-tracer input bio icmp 10.0.2.10 0 1 10.40.1.218

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.40.1.218 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group bio_access_in in interface bio
access-list bio_access_in extended permit ip 10.0.2.0 255.255.255.0 10.40.1.0 255.255.255.0
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 26530, packet dispatched to next module

Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group bio_access_in in interface bio
access-list bio_access_in extended permit ip 10.0.2.0 255.255.255.0 10.40.1.0 255.255.255.0
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.40.1.218 using egress ifc inside

Phase: 11
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0050.56b6.0b27 hits 0 reference 1

Result:
input-interface: bio
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

packet-tracer input inside icmp 10.40.1.218 0 1 10.0.2.10

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.2.10 using egress ifc bio

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access in interface inside
access-list inside_access remark Permission ping DIPLABO vers automate + PC1 et PC2 TEMPO
access-list inside_access extended permit ip 10.40.1.0 255.255.255.0 10.0.2.0 255.255.255.0
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 26574, packet dispatched to next module

Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access in interface inside
access-list inside_access remark Permission ping DIPLABO vers automate + PC1 et PC2 TEMPO
access-list inside_access extended permit ip 10.40.1.0 255.255.255.0 10.0.2.0 255.255.255.0
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.2.10 using egress ifc bio

Phase: 11
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address ecf4.bb21.ad98 hits 3 reference 1

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: bio
output-status: up
output-line-status: up
Action: allow

For the standby, there is currently only one ASA available. The other is down.

you are going to need a NAT exemption rule between your DMZ and INSIDE network.

Could you give me more details please?

Re: Problem communication between two private network Cisco ASA

Georg Pauwen — Tue, 15 Feb 2022 15:14:02 GMT

Hello,

I have come up with the below:

object network inside_10_40_1_0
subnet 10.40.1.0 255.255.255.0
!
object network bio_10_0_2_0
subnet 10.0.2.0 255.255.255.0
!
access-list DMZ_ACL extended permit icmp object bio_10_0_2_0 inside_10_40_1_0
access-list DMZ_ACL extended permit tcp object bio_10_0_2_0 inside_10_40_1_0 eq ftp
!
access-group DMZ_ACL in interface bio
!
nat (bio,inside) source static object bio_10_0_2_0 object bio_10_0_2_0 destination static inside_10_40_1_0 inside_10_40_1_0 no-proxy-arp route-lookup

Re: Problem communication between two private network Cisco ASA

MHM Cisco World — Tue, 15 Feb 2022 17:39:59 GMT

Your packet tracer command is wrong,

You select the interface as input then you must config source ip and finally desntaiotn ip.

You config firdt destination ip then source ip.

Please do it right again and share the output.

Re: Problem communication between two private network Cisco ASA

Beaurr — Tue, 15 Feb 2022 20:17:17 GMT

My knowledge is very limited on firewalling.

Could you give me the command line?

Re: Problem communication between two private network Cisco ASA

Beaurr — Wed, 16 Feb 2022 11:33:11 GMT

object network bio-network
subnet 10.0.2.0 255.255.255.0

object network inside-network
subnet 10.40.1.0 255.255.255.0

access-list DMZ_ACL extended permit icmp object bio-network object inside-network

access-list DMZ_ACL extended permit tcp object bio-network object inside-network eq ftp

access-group DMZ_ACL in interface bio

nat (bio,inside) after-auto source static bio-network bio-network destination static inside-network inside-network no-proxy-arp route-lookup (I generated the line via asdm, it added after auto).

unfortunately, it doesn't work. I launched a continuous PING from the pc 10.02.10 towards a pc in 10.40.1..

And, a continuous PING from a pc in 10.40.1.x to 10.0.2.10 and it does not work

Re: Problem communication between two private network Cisco ASA

MHM Cisco World — Wed, 16 Feb 2022 13:45:16 GMT

first you must config the ICMP inspection,

*policy-map global_policy

class inspection_default

inspect icmp

no need for ACL since the traffic initiate from High Security level "Inside" to low security level "DMZ"
Need NAT "without after-auto" since some ASA version do NAT for each traffic enter the Interface.

then try again ping.

Re: Problem communication between two private network Cisco ASA

Beaurr — Wed, 16 Feb 2022 15:43:29 GMT

Hello, thanks.

I have already this configuration :

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp

Security level is 100 for INSIDE

50 for DMZ(BIO)

I need it to work both ways

I regenerated the NAT rule

nat (bio,inside) source static bio-network bio-network destination static inside-network inside-network no-proxy-arp route-lookup

If i check the NAT rules in ASDM, I see the direction at both

AND...no ping from INSIDE to OUTSIDE

Re: Problem communication between two private network Cisco ASA

MHM Cisco World — Wed, 16 Feb 2022 21:48:43 GMT

that OK, since the ping is from the Inside to DMZ and reply from DMZ to Inside, and if there is ACL apply to DMZ then need ACL to permit the return reply to Inside.

access-list inbound permit icmp any any echo-reply
!

access-list inbound permit icmp any any time-exceeded
!

access-list inbound permit icmp any any unreachable
!
access-group inbound in interface DMZ