topic Re: ASA internal LAN connectivity in Network Security

ASA internal LAN connectivity

GrmOperations — Thu, 28 Mar 2019 00:20:52 GMT

I am new to ASAs, but I am trying to ensure connectivity between my internal LANs which hang off a subinterface. Any reason I am unable to ssh/ping 192.168.255.129 from the GreenNET network if the same security traffic is enabled?

interface Port-channel1.88
description MGMT
vlan 88
nameif MGMT
security-level 100
ip address 192.168.255.129 255.255.255.192
!
interface Port-channel1.89
vlan 89
nameif VM-MGMT
security-level 100
ip address 192.168.255.220 255.255.255.224
!
interface Port-channel1.1100
description GreenNET-Home Wi-Fi Network
vlan 1100
nameif GreenNET
security-level 100
ip address 192.168.0.254 255.255.255.252

show arp
outside 192.168.1.129 6038.e06e.6a67 12
outside 192.168.1.178 509e.a752.cf9e 80
outside 192.168.1.156 9801.a769.cb74 532
outside 192.168.1.132 f838.805f.2001 1001
outside 192.168.1.159 0004.4bb3.20d6 6124
outside 192.168.1.160 04e6.766e.1cce 12475
MGMT 192.168.255.131 f4a7.39c6.9181 727
MGMT 192.168.255.148 b07f.b947.d2fb 3508
GreenNET 192.168.0.253 9c3d.cf4d.2207 5606

C:\Users\J>ping 192.168.255.129

Pinging 192.168.255.129 with 32 bytes of data:
Control-C
^C
C:\Users\J>ping 192.168.255.131

Pinging 192.168.255.131 with 32 bytes of data:
Reply from 192.168.255.131: bytes=32 time=14ms TTL=63
Reply from 192.168.255.131: bytes=32 time=12ms TTL=63
Reply from 192.168.255.131: bytes=32 time=15ms TTL=63
Reply from 192.168.255.131: bytes=32 time=9ms TTL=63

Ping statistics for 192.168.255.131:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 9ms, Maximum = 15ms, Average = 12ms

C:\Users\J>ping 192.168.255.148

Pinging 192.168.255.148 with 32 bytes of data:
Reply from 192.168.255.148: bytes=32 time=13ms TTL=63
Reply from 192.168.255.148: bytes=32 time=12ms TTL=63
Reply from 192.168.255.148: bytes=32 time=8ms TTL=63
Reply from 192.168.255.148: bytes=32 time=57ms TTL=63

Ping statistics for 192.168.255.148:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 57ms, Average = 22ms

Re: ASA internal LAN connectivity

balaji.bandi — Thu, 28 Mar 2019 00:27:15 GMT

Do you have ICMP enabled (icmp permit any inside)? can you alsopost show run config from ASA.

Re: ASA internal LAN connectivity

Deepak Kumar — Thu, 28 Mar 2019 02:54:38 GMT

Hi,

Mentioned that reverify the same security level communication is enabled or not and ICMP is allowed or not?

ICMP permit inside any

Regards,

Deepak Kumar

Re: ASA internal LAN connectivity

GrmOperations — Thu, 28 Mar 2019 11:52:18 GMT

thanks i think that fixed it

Re: ASA internal LAN connectivity

GrmOperations — Thu, 28 Mar 2019 12:06:28 GMT

would i need to create an access list to allow ssh to the port1.88 interface from the port1.1100 interface? there is a ssh 0.0.0.0 0.0.0.0 MGMT configured, however SSH still fails from the port1.1100 interface

Re: ASA internal LAN connectivity

balaji.bandi — Thu, 28 Mar 2019 16:20:30 GMT

Glad that it worked, if ti resolved marked as resolve so it will be usefull for other community members.

Re: ASA internal LAN connectivity

GrmOperations — Thu, 28 Mar 2019 19:06:47 GMT

I am actually still experiencing the same issue. I was under the notion if same security was enabled I would not need an ACL to allow traffic between the subnets however I am still unable to ping/SSH between the networks. I am getting hits on the ACL I created but still no connectivity.

access-list GreenNet_C; 4 elements; name hash: 0xe5bb7708
access-list GreenNet_C line 1 extended permit tcp 192.168.0.252 255.255.255.252 object DeviceManagement (hitcnt=16) 0x4814b061
access-list GreenNet_C line 1 extended permit tcp 192.168.0.252 255.255.255.252 192.168.255.128 255.255.255.192 (hitcnt=16) 0x4814b061

MacBook:~ m $ ssh 192.168.255.129
^C
MacBook:~m $ ping 192.168.255.129
PING 192.168.255.129 (192.168.255.129): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
--- 192.168.255.129 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

Re: ASA internal LAN connectivity

Zamilnewbie — Thu, 28 Mar 2019 19:42:33 GMT

No need for ACL .It should ssh and ping.

another icmp solution is to add icmp to default policy-map or you can use this command

fixup protocol icmp

Re: ASA internal LAN connectivity

GrmOperations — Thu, 28 Mar 2019 20:27:57 GMT

unfortunately i still have no SSH/ICMP connectivity

Re: ASA internal LAN connectivity

balaji.bandi — Thu, 28 Mar 2019 20:43:50 GMT

Can you post full show run and logs to understand what is dropping.

Re: ASA internal LAN connectivity

GrmOperations — Fri, 29 Mar 2019 12:32:49 GMT

ASA Version 9.8(2)
!
hostname ASAPR1ME
enable password $sha512$5000
names

!
interface GigabitEthernet1/1
description uplink to ISP
speed 1000
duplex full
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.0
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
description physical link to EX2200 via ge-0/1/0
speed 1000
duplex full
channel-group 1 mode active
lacp port-priority 1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
description physical link to EX2200 via ge-0/1/1
speed 1000
duplex full
channel-group 1 mode active
lacp port-priority 1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description router-id
nameif router-id
security-level 100
ip address X.X.X.X 255.255.255.254
ospf message-digest-key 1 md5 *****
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface Port-channel1
description physical link to SW via ae0
speed 1000
duplex full
lacp max-bundle 3
no nameif
no security-level
no ip address
!
interface Port-channel1.88
description -MGMT
vlan 88
nameif -MGMT
security-level 100
ip address 192.168.255.129 255.255.255.192
ospf message-digest-key 1 md5 *****
!
interface Port-channel1.89
vlan 89
nameif -VM-MGMT
security-level 100
ip address 192.168.255.220 255.255.255.224
!
interface Port-channel1.1100
description GreenNET
vlan 1100
nameif GreenNET
security-level 100
ip address 192.168.0.254 255.255.255.252
!
banner login $(hostname)
banner login
banner login *****************************************************************************
banner login * C *
banner login * *
banner login * By accessing and using this system you are consenting to system *
banner login * monitoring for law enforcement and other purposes. Use of this *
banner login * system, unless authorized by Administrator, may subject you to criminal *
banner login * prosecution and penalties. *
banner login * *
banner login *****************************************************************************
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NetgearR8000P
host 192.168.0.253
object network EX2200
host 192.168.255.131
object network Cisco_2911
host 192.168.255.130
object network DeviceManagement
subnet 192.168.255.128 255.255.255.192
object network Netgear-ReadyNAS
host 192.168.255.148
object-group service LANBASICs
service-object tcp-udp destination eq domain
service-object icmp
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq www
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq rtsp
service-object tcp destination eq smtp
service-object tcp destination eq telnet
service-object udp destination eq ntp
service-object tcp destination eq ssh
service-object tcp destination eq 993
service-object tcp destination eq 995
service-object tcp destination eq 465
service-object tcp destination eq 587
service-object udp destination eq isakmp
service-object udp destination eq 4500
object-group service OPENVPN_TCP_UDP_9009
service-object tcp-udp destination eq 9009
object-group service INSIDE_SERVICE_GROUPS
group-object LANBASICs
group-object OPENVPN_TCP_UDP_9009
object-group network _slash24
network-object 192.168.0.0 255.255.255.0
object-group network SSH_CLIENTS
network-object object EX2200
network-object object Cisco_2911
access-list OUT_C extended permit tcp any object-group SSH_CLIENTS eq ssh
access-list OUT_C extended permit tcp any object DeviceManagement
access-list OUT_C extended permit tcp any4 192.168.0.252 255.255.255.252 eq 9009
access-list GreenNet_C extended permit tcp 192.168.0.252 255.255.255.252 object DeviceManagement

pager lines 24
logging enable
logging timestamp
logging buffer-size 8000
logging console alerts
logging monitor debugging
logging buffered debugging
logging asdm errors
mtu outside 1500
mtu -MGMT 1500
mtu GreenNET 1500
mtu -VM-MGMT 1500
mtu router-id 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any -MGMT
icmp permit any GreenNET
icmp permit any -VM-MGMT
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network NetgearR8000P
nat (GreenNET,outside) static interface service tcp 9009 9009
object network EX2200
nat (-MGMT,outside) static interface service tcp ssh 22001
object network Cisco_2911
nat (-MGMT,outside) static interface service tcp ssh 22002
object network DeviceManagement
nat (-MGMT,outside) dynamic interface
!
nat (GreenNET,outside) after-auto source dynamic any interface
access-group OUT_C in interface outside

router ospf 7
router-id 9.175.50.6
network 9.175.50.6 255.255.255.255 area 0
network 9.175.50.6 255.255.255.254 area 0
network 192.168.0.252 255.255.255.252 area 1
network 192.168.255.128 255.255.255.192 area 0
area 0 authentication message-digest
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 X.X.X.X
route GreenNET 192.168.0.0 255.255.255.128 192.168.0.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server WinServer16 protocol radius
aaa-server WinServer16 (-MGMT) host 192.168.0.55
key *****
user-identity default-domain LOCAL
aaa authentication ssh console WinServer16 LOCAL
aaa authentication http console WinServer16 LOCAL
aaa authentication enable console WinServer16 LOCAL
aaa accounting ssh console WinServer16
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 GreenNET
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh X.X.X.X 255.255.255.248 outside
sshX.X.X.X 255.255.255.0 outside
sshX.X.X.X 255.255.255.0 outside
sshX.X.X.X 255.255.248.0 outside
ssh 192.168.255.128 255.255.255.224 -MGMT
ssh 0.0.0.0 0.0.0.0 CCNPLAB-MGMT
ssh 192.168.0.252 255.255.255.252 -MGMT
ssh 0.0.0.0 0.0.0.0 GreenNET
ssh 0.0.0.0 0.0.0.0 -VM-MGMT
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username merit316 password $sha512$5000$lFCkF86Rbsi+8+Dwsk6c3w==$6k5V65L4GNG2VvsyzqXGSw== pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c12fce6001855c5d06ef5dc8823cbe0a
: end

Re: ASA internal LAN connectivity

GrmOperations — Sat, 30 Mar 2019 18:14:44 GMT

what logs should i provide?

Re: ASA internal LAN connectivity

GrmOperations — Tue, 02 Apr 2019 11:41:18 GMT

any feedback?