topic ASA5510, same-securitiy-level vlan routing ? in Network Security

ASA5510, same-securitiy-level vlan routing ?

spydertec_2 — Mon, 11 Mar 2019 20:51:01 GMT

Hello

I'm facing a problem with two vlans.

Each vlan has internet access by NAT.

In each vlan there is at least one server, who should be accessible

from the other vlan and vice versa.

The function "same-security-traffic permit inter-interface" doesn't work,

because NAT control is in place - so an expert.

Some experts told me it's not possible to route back out the same interface,

and also not route back out the seperate subinterfaces as well.

So what's true ?

Is it possible, to get access from both vlan, to the servers in both vlan ?

And if yes, please can somebody give me an hint to a working solution ?

BR, Harry

ASA5510, same-securitiy-level vlan routing ?

Jennifer Halim — Mon, 27 Jun 2011 01:17:26 GMT

Sure can, you just have to configure static NAT for each of the VLAN:

Here we go:

static (vlan1,vlan2) 192.168.6.0 192.168.6.0 netmask 255.255.255.0

static (vlan1,vlan4) 192.168.6.0 192.168.6.0 netmask 255.255.255.0

static (vlan1,vlan10) 192.168.6.0 192.168.6.0 netmask 255.255.255.0

static (vlan1,vlan11) 192.168.6.0 192.168.6.0 netmask 255.255.255.0

static (vlan2,vlan4) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (vlan2,vlan10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (vlan2,vlan11) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (vlan10,vlan11) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

The above static commands are bi-directional, so you don't have to configure the static for the other way round.

Just have to make sure that the access-list applied to each interface allows access.

ASA5510, same-securitiy-level vlan routing ?

spydertec_2 — Mon, 27 Jun 2011 23:11:30 GMT

Hello Jennifer,

thanks for your quick answer.

When I apply those static NAT commands by ASDM, I get the following error for each of them:

ERROR: mapped-address conflict with existing static

So I did by also by CLI - with no error

And here the ACL for vlan 1 and vlan 11:

access-list vlan1_access_in_1 extended permit ip any any

access-list vlan11_access_in_1 extended permit ip any any

access-group vlan1_access_in_1 in interface vlan1

access-group vlan11_access_in_1 in interface vlan11

I alos allowed icmp to all vlans - but nothing happened - what did i wrong ?

ASA5510, same-securitiy-level vlan routing ?

Jennifer Halim — Mon, 27 Jun 2011 23:18:29 GMT

Can you also please share the latest running conifg, and advise where you are trying to ping from and to?

Please also ensure that the host doesn't have Windows firewall, or any other host firewall that might be blocking inbound access.

ASA5510, same-securitiy-level vlan routing ?

spydertec_2 — Tue, 28 Jun 2011 05:52:24 GMT

I'm trying to ping from vlan11 (192.168.1.2) tp vlan1 (192.168.6.1)

The firewalls on the access hosts are off.

esult of the command: "sh run"

: Saved
:
ASA Version 8.2(2)
!
hostname ASAHY
enable password encrypted
passwd encrypted
names
name 192.168.6.1 SRV1
name 192.168.1.2 SRV2
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address 255.255.255.255 pppoe
!
interface Ethernet0/1
nameif inside
security-level 100
no ip address
!
interface Ethernet0/1.1
vlan 1
nameif vlan1
security-level 100
ip address 192.168.6.6 255.255.255.0
!
interface Ethernet0/1.2
vlan 2
nameif vlan2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1.4
vlan 4
nameif vlan4
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface Ethernet0/1.10
vlan 10
nameif vlan10
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1.11
vlan 11
nameif vlan11
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif Management
security-level 100
ip address 172.16.3.1 255.255.255.0
management-only
!

ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service NATvlan10
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
service-object tcp eq pop3
service-object tcp eq smtp
service-object udp eq 21
service-object udp eq 20
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp unreachable
service-object icmp time-exceeded
object-group service NATvlan11
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
service-object tcp eq pop3
service-object tcp eq smtp
service-object udp eq 21
service-object udp eq 20
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp unreachable
service-object icmp time-exceeded
object-group service NATvlan2
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
service-object tcp eq pop3
service-object tcp eq smtp
service-object udp eq 21
service-object udp eq 20
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp unreachable
service-object icmp time-exceeded
object-group service NATvlan4
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
service-object tcp eq pop3
service-object tcp eq smtp
service-object udp eq 21
service-object udp eq 20
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp unreachable
service-object icmp time-exceeded
object-group service NATvlan1
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
service-object udp eq 21
service-object udp eq 20
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp unreachable
service-object icmp time-exceeded
object-group network DataWebShop
description Direct to Access
network-object Data1 255.255.255.0
network-object host Data3
network-object host Data2
access-list insidevlan10 extended permit object-group NATvlan10 192.168.10.0 255.255.255.0 any
access-list insidevlan11 extended permit object-group NATvlan11 192.168.1.0 255.255.255.0 any
access-list insidevlan2 extended permit object-group NATvlan2 192.168.2.0 255.255.255.0 any
access-list insidevlan4 extended permit object-group NATvlan4 192.168.4.0 255.255.255.0 any
access-list insideACL6 extended permit object-group NATvlan1 192.168.6.0 255.255.255.0 any
access-list insideACL6 extended permit ip 192.168.6.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list insideACL6 extended permit udp 192.168.6.0 255.255.255.0 object-group DataWebShop eq 443
access-list 100 extended permit ip 192.168.6.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list TrafficEnc extended permit ip 192.168.6.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list servicesACL extended permit tcp any host eq 3390
access-list servicesACL extended permit udp object-group DataWebShop host SRV1 eq 443
access-list NATvlan2 extended permit ip 192.168.2.0 255.255.255.0 any
access-list NATvlan4 extended permit ip 192.168.4.0 255.255.255.0 any
access-list NATvlan10 extended permit ip 192.168.10.0 255.255.255.0 any
access-list NATvlan11 extended permit ip 192.168.1.0 255.255.255.0 any
access-list NATvlan1 extended permit ip 192.168.6.0 255.255.255.0 any
access-list vlan1_access_in_1 extended permit ip any any
access-list vlan11_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu vlan1 1500
mtu vlan11 1500
mtu vlan2 1500
mtu vlan4 1500
mtu vlan10 1500
mtu Management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (outside) 1 192.168.110.0 255.255.255.0
nat (vlan1) 0 access-list 100
nat (vlan1) 1 access-list NATvlan1
nat (vlan11) 1 access-list NATvlan11
nat (vlan2) 1 access-list NATvlan2
nat (vlan4) 1 access-list NATvlan4
nat (vlan10) 1 access-list NATvlan10
static (vlan11,outside) tcp interface 3390 Druesberg 3389 netmask 255.255.255.255
static (vlan1,outside) tcp interface ftp-data SRV1 ftp-data netmask 255.255.255.255
static (vlan1,outside) udp interface 443 SRV1 443 netmask 255.255.255.255
static (vlan1,vlan2) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (vlan1,vlan4) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (vlan1,vlan10) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (vlan1,vlan11) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (vlan2,vlan4) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (vlan2,vlan10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (vlan2,vlan11) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (vlan10,vlan11) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-group servicesACL in interface outside
access-group vlan1_access_in_1 in interface vlan1
access-group vlan11_access_in_1 in interface vlan11
access-group insidevlan2 in interface vlan2
access-group insidevlan4 in interface vlan4
access-group insidevlan10 in interface vlan10
route outside 0.0.0.0 0.0.0.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 172.16.3.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map newmap 10 match address TrafficEnc
crypto map newmap 10 set peer
crypto map newmap 10 set transform-set myset
crypto map newmap 10 set nat-t-disable
crypto map newmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 28800
telnet 192.168.6.0 255.255.255.0 vlan1
telnet timeout 5
ssh 255.255.255.255 outside
ssh 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname
vpdn group ISP ppp authentication chap
vpdn username password store-local
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 212.90.197.226 source outside prefer
webvpn
username password encrypted privilege 15
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: end

ASA5510, same-securitiy-level vlan routing ?

Jennifer Halim — Tue, 28 Jun 2011 08:56:56 GMT

Yes, that should be allowed as per the configuration.

Also, just confirming that those hosts only have 1 NIC, and its default gateway is set to its corresponding ASA interfaces?

ie: for host 192.168.1.2, subnet mask is 255.255.255.0 and the default gateway is 192.168.1.254?

for host 192.168.6.1, subnet mask is 255.255.255.0 and default gateway is 192.168.6.6?

Can you please try from other hosts?

ASA5510, same-securitiy-level vlan routing ?

spydertec_2 — Tue, 28 Jun 2011 16:06:46 GMT

Hi Jennifer,

thanks for your quick answer.

There must be something wrong with those static NAT statements, because after I've typed in those, I can't access the

Internet anymore - on all Vlans.

I can't see the reason - do you have an idea for this behavior ?

ASA5510, same-securitiy-level vlan routing ?

spydertec_2 — Wed, 29 Jun 2011 21:10:49 GMT

Hi Jennifer,

as I've tested configuration I realized that I can't ping vlan 1 (192.168.6.6) from the L3-switch attached to the ASA.

As I moved the Config to vlan 6 -it worked again.

The main issue, the routing still doesn't work.

I can't access resources on other vlans.

Please can you have a look again ?

Harry

ASA5510, same-securitiy-level vlan routing ?

Jennifer Halim — Thu, 30 Jun 2011 08:01:14 GMT

What is the L3 switch that is attached to the ASA has as its ip address? Does it have any interface vlan ip address?

What vlan and what ip address of the L3 switch are you trying to ping the ASA from?

What do you mean by you moved the config to vlan 6? what do you move and where?

The configuration looks correct. All NATing has been completed that allows the communicate between VLANs.

Can you please try communication between all VLANs and advise which works and which doesn't? You can't ping the ASA interfaces from the opposite interfaces, so that test will always fail if you are testing that.

Eg: you can't ping from host in VLAN 1 towards ASA VLAN 6 interface.

You can only ping from host in VLAN 1 towards ASA VLAN 1 interface.

If you test to ping, please test from host to host, not pinging any ASA interfaces. Please also try to application apart from ping.

At this point, the config looks ok, but you might need to troubleshoot hop by hop where it's failing because it doesn't seem to be a config issue at this stage.

ASA5510, same-securitiy-level vlan routing ?

spydertec_2 — Thu, 30 Jun 2011 22:11:14 GMT

Hello Jennifer,

thanks again for answering.

Your explanations lights up the things !

****

Just a few explanations to my statements above:

At eth0 of the ASA there is a L3-switch on Gig 0/1 directly connected.

The Gig 0/1 is in trunking mode. Vlan 1 has the IP 192.168.6.9

Every Access devices (th two servers) are in a vlan on this switch or behind this switch.

At the L3 - switch I've a VTP domain behind, for which the L3 - switch is accting as a VTP server.

From this L3 - switch (console) I was trying to ping the vlan 1 of ASA and this didn't worked.

So I took the decision to test the behavior by moving the interface config and the attached rules of the ASA to vlan 6.

After this step I was able to ping from 192.168.6.9 (Vlan 1 L3 - switch) to the vlan of the ASA.

At this point i still don't understand why it doeasn't work with vlan 1

****

Anyway, I'll try to ping and share/mount folders from other vlans.

I'll come back.

Thanks by your clarifying explanations

ASA5510, same-securitiy-level vlan routing ?

Jennifer Halim — Sat, 02 Jul 2011 11:49:43 GMT

That seems odd, because there is no VLAN 6 on the ASA. It's odd how you move the inferface configuration to vlan 6 and it works by pinging to vlan 1?

Do you mean you move the config as follows on the switch:

Initially:

interface vlan1

ip address 192.168.6.9 255.255.255.0

Then you move it to:

interface vlan6

ip address 192.168.6.9 255.255.255.0

Doesn't make sense since there is no VLAN 6 on the ASA, or do you also move the ASA config to:

interface Ethernet0/1.1

vlan 6

nameif vlan1

security-level 100

ip address 192.168.6.6 255.255.255.0

Does vlan 1 happen to be the native vlan on the switch?

ASA5510, same-securitiy-level vlan routing ?

spydertec_2 — Sat, 02 Jul 2011 12:38:54 GMT

I'm sorry for the confusions.

I have created a Vlan 6 on the ASA and also on the Switch.

The Vlan 1 now is the native Vlan.

actualy it looks like this:

interface Ethernet0/1.11

vlan 11

nameif vlan11

security-level 100

ip address 192.168.1.254 255.255.255.0

no shut

interface Ethernet0/1.2

vlan 2

nameif vlan2

security-level 100

ip address 192.168.2.1 255.255.255.0

no shut

interface Ethernet0/1.4

vlan 4

nameif vlan4

security-level 100

ip address 192.168.4.1 255.255.255.0

no shut

interface Ethernet0/1.6

vlan 6

nameif vlan6

security-level 100

ip address 192.168.6.6 255.255.255.0

no shut

interface Ethernet0/1.10

vlan 10

nameif vlan10

security-level 100

ip address 192.168.10.1 255.255.255.0

no shut

with this config in place, I'm now able to ping from the switch 6.9 to the ASA on 6.6 and vice versa.

Before when the same config was on vlan 1, I couldn't ping like this.

That sounds odd to me too.

As you said above it should work with the access-list - at least to ping between the two

hosts on vlan 6 and 11:

access-list vlan1_access_in_1 extended permit ip any any

access-list vlan11_access_in_1 extended permit ip any any

access-group vlan1_access_in_1 in interface vlan1

access-group vlan11_access_in_1 in interface vlan11

I'm thinking about to upgrade the current IOS to 8.4X ... and to create the config on a new base.

Do you see any mistake in the config above ?

ASA5510, same-securitiy-level vlan routing ?

Jennifer Halim — Sun, 03 Jul 2011 03:23:40 GMT

No, the config looks absolutely fine to me.

I would upgrade to the latest version of 8.2.x.

Just FYI, version 8.3 and above has new changes to NAT, so it's completely different to version 8.2 or below. You might want to take a look at those NAT section first prior to upgrading to 8.4.x.