topic Re: why unable to access low security level interface? in Network Security

why unable to access low security level interface?

weichenyang06928 — Tue, 03 Sep 2019 07:51:17 GMT

asa firewall, inside interface,security level 100, test interface,security level 40.

there is no access list on test interface.

depend on default rule, level 100 can access level 40.

why unable to access?

thanks

Re: why unable to access low security level interface?

Seb Rupik — Tue, 03 Sep 2019 08:08:18 GMT

Hi there,

Since your didn't specify, does the inside interface have an inbound ACL configured on it?

cheers,

Seb.

Re: why unable to access low security level interface?

weichenyang06928 — Tue, 03 Sep 2019 08:43:46 GMT

inside level 100:192.168.10.0,dmz level 50:192.168.100.0, test level 40:192.168.0.0

there is acl:

access-list split extended permit ip 192.168.10.0 255.255.255.0 any

access-list split extended permit ip 192.168.100.0 255.255.255.0 any

access-list split extended permit ip 192.168.0.0 255.255.255.0 any

is this inbound acl?

but,no apply to inside interface(no access-group)

there is dmz, security level 50, inside can access dmz,but unable access security level 40.

Re: why unable to access low security level interface?

Seb Rupik — Tue, 03 Sep 2019 09:16:20 GMT

An ACL with the name 'split' sounds like it will be used for remote access VPN.

Can you confirm if devices connected to the test interface are receiving packets from he inside interface? Do the devices on the test subnet have the correct subnet mask and gateway address?

Re: why unable to access low security level interface?

weichenyang06928 — Tue, 03 Sep 2019 09:24:09 GMT

ip local pool vpnpool 10.10.10.1-10.10.10.254

!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif Test
security-level 40
ip address 192.168.0.1 255.255.255.0

object network pool
subnet 192.168.0.0 255.255.0.0

object network 192.168.0.11-9802
host 192.168.0.11
object network 192.168.0.11-9803
host 192.168.0.11
object network 192.168.0.11-9804
host 192.168.0.11
object network 192.168.100.88-8999
host 192.168.100.88

access-list Outside-in extended permit tcp any host 192.168.0.11 eq 9802
access-list Outside-in extended permit tcp any host 192.168.0.11 eq 9803
access-list Outside-in extended permit tcp any host 192.168.0.11 eq 9804
access-list Outside-in extended permit tcp any host 192.168.100.88 eq 8999

object network 192.168.0.11-9802
nat (Test,Outside) static interface service tcp 9802 9802
object network 192.168.0.11-9803
nat (Test,Outside) static interface service tcp 9803 9803
object network 192.168.0.11-9804
nat (Test,Outside) static interface service tcp 9804 9804
object network 192.168.100.88-8999
nat (DMZ,Outside) static interface service tcp 8999 8999

nat (Inside,Outside) after-auto source dynamic any interface
nat (Test,Outside) after-auto source dynamic any interface
access-group Outside-in in interface Outside

thanks!

Re: why unable to access low security level interface?

Karsten Iwen — Tue, 03 Sep 2019 09:29:37 GMT

Based on what you write (and don't write; you never say what exactly does not work) I assume that you are just doing a wrong test. Are you trying to access the IP of the ASA-interface Test from inside? That will not work by design on the ASA. Use real traffic (like something based on TCP) to a host on the test interface.

Re: why unable to access low security level interface?

bhargavdesai — Tue, 03 Sep 2019 11:02:10 GMT

You can always run the Packet Tracer to see what is blocking traffic. Packet Tracer is available in ASDM and you can also run it from CLI.

You can search for Packet Tracer.

Bhaggu

Re: why unable to access low security level interface?

weichenyang06928 — Wed, 04 Sep 2019 06:45:35 GMT

packet tracer

from 192.168.10.26, in inside network

to 192.168.0.181,in test network,why destination is outside?

Re: why unable to access low security level interface?

bhargavdesai — Thu, 05 Sep 2019 06:43:37 GMT

It seems that your Gig 0/3 (TEST) is not up or having some issue. Can your post the output of

Show route

Show int ip brief

Show nameif

Sorry for delayed response.

Bhaggu

Re: why unable to access low security level interface?

weichenyang06928 — Thu, 05 Sep 2019 07:10:20 GMT

bhargavdesaith,thanks

test interface is up, public ip can access host which in test network.(port forward).

please see attach file

Re: why unable to access low security level interface?

bhargavdesai — Thu, 05 Sep 2019 09:16:07 GMT

Can you post packet tracer log from SSH session. Moreover is there any Firepower PBR or other thing is picture.

packet-tracer input Inside tcp 192.168.10.26 12345 192.168.0.181 9804 detailed

We need to know that is causing the destination to be on OUTSIDE rather than more specific TEST interface.

Bhaggu.

Re: why unable to access low security level interface?

weichenyang06928 — Thu, 05 Sep 2019 09:38:49 GMT

object network vpndest1
subnet 192.168.0.0 255.255.255.0

there is definition in asa

nat (DMZ,Outside) source static vpnsource vpnsource destination static vpndest1

Re: why unable to access low security level interface?

bhargavdesai — Thu, 05 Sep 2019 09:51:53 GMT

According to the output the below rule may be causing issue.

nat (Inside,Outside) source static vpnsource1 vpnsource1 destination static vpndest1 vpndest1

Can you just share full configuration or try disabling the above NAT rule.

Bhaggu

Re: why unable to access low security level interface?

weichenyang06928 — Fri, 06 Sep 2019 01:51:22 GMT

bhargavdesai,

thanks for you help!

i disable nat rule

nat (Inside,Outside) source static vpnsource1 vpnsource1 destination static vpndest1 vpndest1

everything is fine.

Re: why unable to access low security level interface?

bhargavdesai — Fri, 06 Sep 2019 03:12:47 GMT

Great that the solution worked for you.
I would request you to give proper credit by selecting response as answered and helpful so that it motivate and encourage to contribute to community.

Bhaggu