topic vlan problem in asa 5510 in Network Security

vlan problem in asa 5510

halooos111 — Mon, 11 Mar 2019 21:43:25 GMT

Hallo Community,

iam new in asa world so i need your help very much!!

i have to config a new vlan(its name vlan220, ip: x.x.220.0/24), vlan220 must have internet and should communicate with another vlan(its name vlan200, ip: x.x.200/24).

in ASDM device setup > interfaces i confg the vlan220 so i have now the following:

Ethernet0/1.200 security level 50 and

Ethernet0/1.220 security level 50

but i dont know how to go on so that the 2 vlans can communicat and vlan220 to get internet!!!

can somebody help me?

is there maybe a step by step guide?

Thank you very much

Best regards Tony

vlan problem in asa 5510

Maykol Rojas — Fri, 28 Oct 2011 05:44:32 GMT

Hi Tony,

Well first thing is that you will need to check a box on the Acess rules section that says "Allow traffic to flow between same security interfaces" or something like that. Then Two static rules and two dynamic rules. I can easily drop the commands here, but it seems like you want to have it via ASDM.

What version are you using on the ASA firewall? (ASA code). Depending on that, the syntax on the commands changes, and it looks different on ASDM too.

Mike

vlan problem in asa 5510

varrao — Fri, 28 Oct 2011 05:49:59 GMT

Hi Tony,

Its very difficult to tell you how to do it from the ASDM, but if you ask me the equivalent CLUI commands, those would be:

nat (vlan220) 5 0.0.0.0 0.0.0.0

global (outside) 5 interface

outside should be the name of your internet facing interface.

for inter-vlan access:

same-security-traffic permit inter-interface

static (vlan220,vlan200) xx.xx.xx.220 xx.xx.xx.220

static (vlan200.vlan220) xx.xx.xx.200 xx.xx.xx.200

If you still wanna go for the ASDM, you cna refer this guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/nat_82.html

Moreover you can google and find some youtube videos as well, that woudl certainly help.

Thanks,

Varun

vlan problem in asa 5510

halooos111 — Fri, 28 Oct 2011 06:20:01 GMT

i have asa version 8.2(1), ASDM Version 3.2(1)

vlan problem in asa 5510

varrao — Fri, 28 Oct 2011 06:47:17 GMT

it must be ASDM 6.2.1, here's the guide for it:

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/nat.html

Thanks,

Varun

Re: vlan problem in asa 5510

Maykol Rojas — Fri, 28 Oct 2011 06:54:05 GMT

Hi Tony,

Basically what you can do (and this is something that I do particulary) is to paste configuration on the command line and then take a look at it on the ASDM, then you can guide yourself doing the rest, for example. To communicate with the two DMZs you need to check the box on the Firewall Rules section.

Then you will need to configure the nat, so, lets say for example that one of your DMZs (DMZ1 sec level 50) is 10.10.10.0/24 and the other is (DMZ2 sec level 50) 20.20.20.0/24

You dont really need to translate this networks to any other IP, so basically you can configure a NAT statement that will translate those IPs to the same ones. You can drop this lines on the CLI build in on the ASDM (Make sure you select Multiple lines)

These will be the lines that you need

static (DMZ1,DMZ2) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Click on send, then go to the NAT rules section and see the line there, click on edit and check how it was configured by the ASDM, now the only thing you need to do is to create another one but from DMZ2 going to DMZ1 and with the network 20.20.20.0.

For the Internet access it will be the following on the CLI of the ASDM (Again multiple Lines and assuming you have an interface connected to the outside with 1 public IP to access the internet, the name is outside and it has security level of 50 or less)

nat (DMZ1) 1 0 0

global (outside) 1 interface

That will translate the internal DMZ1 subnet to the outside IP address of the firewall doing a PAT. Now you can go back to the NAT rules and check how that was created.

Let me know if you have any doubts.

Mike

vlan problem in asa 5510

halooos111 — Fri, 28 Oct 2011 06:57:03 GMT

i can also try with CLUI copmmands!!

vlan problem in asa 5510

Maykol Rojas — Fri, 28 Oct 2011 07:05:06 GMT

Nice Tony,

Give it a try and if you have issues let me know.

Mike.

vlan problem in asa 5510

halooos111 — Fri, 28 Oct 2011 08:54:38 GMT

hey Mike thank u for helping , i did what u told me, i have in the NAT rules:

on DMZ1 side:

type: static source: DMZ1 interface: DMZ2 Adress DMZ1

on the DMZ2 side:

type: static source: DMZ2 interface: DMZ1 Adress DMZ2

type: Dynamic source: any interface: outside Adress outside

but i dont have internet on DMZ2, and the 2 DMZ donot communicate

what shall i also do

Tony

vlan problem in asa 5510

cadet alain — Fri, 28 Oct 2011 10:05:19 GMT

Hi Tony,

What tests did you do and which failed?

Post following outputs:

-sh route

-sh run nat

-sh run global

-sh run static

-sh run | i same-security

Regards.

Alain

Re: vlan problem in asa 5510

halooos111 — Fri, 28 Oct 2011 11:11:41 GMT

-sh route:

C x.x.x.0 255.255.255.0 is directly connected, DMZ2

C y.y.y.0 255.255.255.0 is directly connected, DMZ1

S 192.168.253.1 255.255.255.255 [1/0] via 217.5.98.6, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 217.5.98.6, outside

-sh run nat

nat (DMZ1) 0 access-list DMZ1_nat0_outbound

nat (DMZ1) 1 y.y.y.0 255.255.255.0

nat (DMZ2) 1 x.x.x.0 255.255.255.0

-sh run global

global (outside) 1 interface

-sh run static

static (DMZ1,outside) tcp interface www access-list DMZ1_nat_static

static (DMZ1, DMZ2) y.y.y.0 y.y.y.0 netmask 255.255.255.0

static (DMZ2, DMZ1) x.x.x.0 x.x.x.0 netmask 255.255.255.0

-sh run | i same-security

same-security-traffic permit intra-interface

and when i make packet tracer from DMZ2 to DMZ1 port 80 on interface DMZ2

i get the packet is dropped (see attachment)

Tony

vlan problem in asa 5510

varrao — Fri, 28 Oct 2011 11:39:46 GMT

HI Tony,

You have the wrong command added, you need to add this:

same-security-traffic permit inter-interface

Hope that helps.

Thanks,

Varun

vlan problem in asa 5510

halooos111 — Fri, 28 Oct 2011 12:19:30 GMT

cooooool,

i can access DMZ1 fom DMZ2,

but on DMZ2 i still have no internet

Tony

vlan problem in asa 5510

cadet alain — Fri, 28 Oct 2011 12:45:07 GMT

Hi,

What do you mean by no internet on DMZ2 ? you're trying to get to internet from DMZ2? Isn't it the contrary you want that is port forward some services on DMZ2 for hosts on the internet?

Anyway NAT config for DMZ2 to internet is ok as well as the routing so you must investigate ACLs:

Can you post: sh access-list and sh run access-group

Alain.

vlan problem in asa 5510

halooos111 — Fri, 28 Oct 2011 13:08:05 GMT

i want also that clients in dmz2 to have internet

vlan problem in asa 5510

cadet alain — Fri, 28 Oct 2011 14:07:01 GMT

Hi,

Can you post: sh access-list and sh run access-group

And the packet tracer output for this communication, is the ASA directly connected to the internet or is there a router?

Alain.

Re: vlan problem in asa 5510

halooos111 — Sat, 29 Oct 2011 06:04:27 GMT

the asa is directly connected to internet

sh access-list

access-list DMZ2_nat0_outbound; 1 elements; name hash: 0xe670bc2b

access-list DMZ2_nat0_outbound line 1 extended permit ip x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0 (hitcnt=0) 0xe5ee4ebd

access-list DMZ2_access_in; 3 elements; name hash: 0x6faec76d

access-list DMZ2_access_in line 1 extended permit icmp x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0 (hitcnt=1501) 0x0cbd4f33

access-list DMZ2_access_in line 2 extended permit tcp x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0 eq www (hitcnt=79) 0xc68228fc

access-list DMZ2_access_in line 3 remark Implicit rule

access-list DMZ2_access_in line 4 extended permit tcp x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0 eq domain (hitcnt=2) 0x76a21af6

sh run access-group

access-group inside_access_in in interface inside

access-group DMZ1_access_in in interface DMZ1

access-group outside_access_in in interface outside

access-group DMZ2_access_in in interface DMZ2

how can i also permint traffic between 2vlans with different security level because my boss told me yesterday in the afternoon that dmz2 may have security level 90, and the traffic between the 2 DMZ shall be controlled through the aceess lists! in NAT rule i changed the static one to NAT Exempions is this right what i changed?

Tony

vlan problem in asa 5510

cadet alain — Sat, 29 Oct 2011 12:48:07 GMT

Hi,

By default NAT-control is disabled so it's not mandatory to do NAT for traffic flowing from a high security level to a low security level.So you can delete all nat entries for traffic between the 2 DMZs and just leave the NAT for each DMZ to outside.

You can then apply ACLs inbound or outbound to permit/deny traffic between the 2 DMZs

Now concerning the DMZ2 not going to internet:

DMZ2_access_in ACL applied inbound is the same as the NAT 0 ACL that is permitting traffic between 2 subnets but then with the explicit deny at the end deny traffic from DMZ2 to internet.

As DMZ2 has a higher security level than internet all you have to do for traffic from DMZ2 to internet is just inspect icmp and nothing else unless you wanted some type of traffic to be denied.

So modify this ACL to permit specific traffic to internet and for icmp just inspect icmp in service-policy.

As this DMZ will have level 90 and the other level 50, you won't need any ACL for traffic from DMZ2 to DMZ1 and return traffic but you'll need one for traffic from DMZ1 to DMZ2.

Alain.

vlan problem in asa 5510

halooos111 — Mon, 07 Nov 2011 11:03:37 GMT

hallo People,

thank you very much for your help, you solved my problrm

Tony