topic ASA intra-interface communication in Network Security

ASA intra-interface communication

stephilewis — Mon, 11 Mar 2019 18:24:48 GMT

I have three interfaces configured, outside, inside and dhcp. The IP for the inside is 10.10.220.101 and dhcp is 10.10.230.1, with same−security−traffic permit intra−interface configured but still not able to communicate between interfaces. The error I receive from packet-tracer is (acl-drop) flow is denied by configured rule.

Re: ASA intra-interface communication

Collin Clark — Thu, 12 Aug 2010 15:47:55 GMT

The flow drop usually means a NAT is missing. You need NAT when you go from a lower security interface to a higher one. The same−security−traffic permit intra−interface command is used when two interfaces have the same security level. Here's a helpful link.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml#Same

Hope it helps

Re: ASA intra-interface communication

stephilewis — Thu, 12 Aug 2010 15:55:16 GMT

both interfaces have security level 100

Re: ASA intra-interface communication

Collin Clark — Thu, 12 Aug 2010 16:02:06 GMT

What do your logs say?

Re: ASA intra-interface communication

Jitendriya Athavale — Thu, 12 Aug 2010 17:21:23 GMT

you will need same-security-traffic permit inter-interface

intra interface is used when the traffic is entering and exiting from the same interface

here you have 2 different interfaces so you will need inter interface which mean traffic between same security level but on different interfaces

also what code are you running and lastly paste the output of packet tracer if it still doesnt work

Re: ASA intra-interface communication

stephilewis — Thu, 12 Aug 2010 18:05:03 GMT

Yes you are correct I did change from intra to inter, using 7.2.

Re: ASA intra-interface communication

stephilewis — Thu, 12 Aug 2010 18:29:43 GMT

edge# packet-tracer input inside icmp 10.10.220.101 8 0 10.10.230.101 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x37f0288, priority=1, domain=permit, deny=false

hits=2085041387, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.10.230.101 255.255.255.255 identity

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x3802b20, priority=500, domain=permit, deny=true

hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.10.220.101, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Re: ASA intra-interface communication

Collin Clark — Thu, 12 Aug 2010 18:34:16 GMT

Can you post the ACL and the access group?

Re: ASA intra-interface communication

stephilewis — Thu, 12 Aug 2010 18:58:36 GMT

heres my running

edge(config-if)# show run

: Saved

ASA Version 7.2(3)

hostname edge

domain-name xxxxxx

enable password sh3Lt8bNBi5BmLfG encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 10.10.220.101 255.255.255.0

ospf cost 10

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.240

ospf cost 10

interface Vlan4

nameif LANDHCP

security-level 100

ip address 10.10.230.1 255.255.255.0

interface Vlan22

description LAN Failover Interface

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

switchport access vlan 4

interface Ethernet0/6

switchport access vlan 3

interface Ethernet0/7

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name benetech.org

same-security-traffic permit inter-interface

access-list outside_access_in extended permit tcp any host xx.xx.xx.xx

access-list outside_access_in extended permit gre any any

access-list outside_access_in extended permit tcp any interface outside eq smtp log debugging

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq pptp log warnings

access-list outside_access_in extended permit tcp any interface outside eq 99

access-list outside_access_in extended permit tcp any interface outside eq 722 log

access-list outside_access_in extended permit tcp any interface outside eq 822 log

access-list outside_access_in extended permit tcp any interface outside eq 922 log

access-list outside_access_in extended permit tcp any interface outside eq www inactive

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit tcp any interface outside eq ftp-data

access-list outside_access_in extended permit tcp any interface outside eq 622

access-list outside_access_in extended permit icmp any interface outside

access-list LAN_access_in extended permit ip any any

access-list inside_access_out extended deny tcp 10.10.220.128 255.255.255.128 any eq smtp log warnings

access-list inside_access_out extended deny udp any eq 4000 any log warnings

access-list inside_access_out extended permit ip any any

access-list WLAN extended permit ip any any

access-list WLAN_access_in extended permit ip any any

access-list WLAN_access_in extended permit udp any any

pager lines 24

logging enable

logging emblem

logging asdm-buffer-size 512

logging buffered informational

logging trap informational

logging asdm informational

logging mail informational

logging from-address asa5505@xxxx

logging recipient-address xxxx level errors

logging host inside 10.10.220.69 17/1470 format emblem

logging permit-hostdown

mtu inside 1500

mtu outside 1500

mtu LANDHCP 1500

no failover

failover lan unit primary

failover lan interface BFailover Vlan22

failover key *****

failover interface ip BFailover 172.1.1.1 255.255.255.0 standby 172.1.1.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 822 10.10.220.21 822 netmask 255.255.255.255

static (inside,outside) tcp interface 722 10.10.220.18 722 netmask 255.255.255.255

static (inside,outside) tcp interface 922 10.10.220.29 922 netmask 255.255.255.255

static (inside,outside) tcp interface www 10.10.220.19 www netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.xx ftp-data 10.10.220.67 ftp-data netmask 255.255.255.255

static (inside,outside) tcp interface ftp 10.10.220.67 ftp netmask 255.255.255.255

static (inside,outside) tcp interface 622 10.10.220.21 622 netmask 255.255.255.255

static (inside,outside) tcp interface 99 10.10.220.24 99 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.xx 10.10.220.4 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.xx 10.10.220.23 netmask 255.255.255.255

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.10.220.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ca trustpoint newbroot

crl configure

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns 10.10.220.23

dhcpd domain benetech.local

dhcpd auto_config outside

dhcpd option 3 ip 172.16.30.100

class-map inspection_default

match default-inspection-traffic

class-map pptp-port

match port tcp eq pptp

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect dns benetech_dns_map

description Remove 512 byte size restriction

parameters

message-length maximum 1024

no protocol-enforcement

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

policy-map pptp_policy

class pptp-port

inspect pptp

service-policy global_policy global

service-policy pptp_policy interface outside

ntp server xx.xx.xx.xx source outside

tftp-server inside 10.10.220.69 asa-5505-primary.conf

webvpn

csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg

csd enable

username scott password rj0sFMSN.wCXUz0C encrypted privilege 15

username ryan password esjVcPBkxKv5/kd4 encrypted privilege 15

smtp-server 10.10.220.50 10.10.220.12

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command uauth

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

Cryptochecksum:08ce842567f3902a3dd22fe93b0ddc0d

: end

edge(config-if)#

Re: ASA intra-interface communication

Collin Clark — Thu, 12 Aug 2010 21:13:24 GMT

Can you create an ACL with permit ip any any and apply it to the dhcp interface? I don't remember if an ACL is needed between same security interfaces. This will just be a quick test.

access-list dhcp_access extended permit ip any any

access-group dhcp_access in interface LANDHCP

Re: ASA intra-interface communication

stephilewis — Thu, 12 Aug 2010 21:19:44 GMT

what is dhcp_access

Re: ASA intra-interface communication

stephilewis — Thu, 12 Aug 2010 21:25:17 GMT

I take it you ment landhcp_access

Re: ASA intra-interface communication

Collin Clark — Thu, 12 Aug 2010 21:28:10 GMT

You can name the access list anything you like, I just named it dhcp_access.

Re: ASA intra-interface communication

stephilewis — Thu, 12 Aug 2010 21:32:07 GMT

ok i completed the task i am permitting all ip traffic both ways without success, oddly enough from the workstation i cannot ping the gateway which is the landhcp interface. from the console i can ping the landhcp but not past this.

Re: ASA intra-interface communication

Collin Clark — Thu, 12 Aug 2010 21:34:25 GMT

Can you run the packet trace with the ACL applied and post the results?

Re: ASA intra-interface communication

stephilewis — Thu, 12 Aug 2010 21:46:29 GMT

I am heading out for the day but will run one tomorrow and post

Thank you,

Re: ASA intra-interface communication

stephilewis — Fri, 13 Aug 2010 18:06:32 GMT

edge(config)# packet-tracer input inside icmp 10.10.220.101 8 0 10.10.200.105 $

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.200.0 255.255.255.0 LANDHCP

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3802b20, priority=500, domain=permit, deny=true
        hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.10.220.101, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: LANDHCP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

edge(config)#

in id=0x3802b20, priority=500, domain=permit, deny=true
        hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.10.220.101, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

edge(config)# packet-tracer input inside icmp 10.10.220.101 8 0 10.10.200.1 de$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.200.1 255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3802b20, priority=500, domain=permit, deny=true
        hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.10.220.101, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

edge(config)# packet-tracer input inside icmp 10.10.200.1 8 0 10.10.200.105 de$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.200.0 255.255.255.0 LANDHCP

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4273218, priority=2, domain=permit, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x37f35b0, priority=0, domain=permit-ip-option, deny=true
        hits=37898762, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x37f5180, priority=66, domain=inspect-icmp-error, deny=false
        hits=196678, user_data=0x37f50b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any LANDHCP any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x42cb620, priority=1, domain=nat, deny=false
        hits=0, user_data=0x426a0e8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Re: ASA intra-interface communication

Nagaraja Thanthry — Fri, 13 Aug 2010 19:08:37 GMT

Hello,

You are missing NAT statements between inside and LANDHP. Please configure

identity NAT between the interfaces:

static (inside,LANDHCP) 10.10.220.0 10.10.220.0 netmask 255.255.255.0

static (LANDHCP,inside) 10.10.230.0 10.10.230.0 netmask 255.255.255.0

This should allow communication between the inside and LANDHCP interfaces.

Hope this helps.

Regards,

Re: ASA intra-interface communication

stephilewis — Fri, 13 Aug 2010 19:32:59 GMT

I am still getting the following, also I cannot ping from a node on the 10.10.220.0 network to 10.10.200.1 which is the interface on the asa.

packet-tracer input inside icmp 10.10.220.101 8 0 10.10.200.1 de$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (LANDHCP,inside) 10.10.200.0 10.10.200.0 netmask 255.255.255.0

match ip LANDHCP 10.10.200.0 255.255.255.0 inside any

static translation to 10.10.200.0

translate_hits = 3, untranslate_hits = 34

Additional Information:

NAT divert to egress interface LANDHCP

Untranslate 10.10.200.0/0 to 10.10.200.0/0 using netmask 255.255.255.0

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x3802b20, priority=500, domain=permit, deny=true

hits=10, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.10.220.101, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: LANDHCP

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

edge(config)#

Re: ASA intra-interface communication

Nagaraja Thanthry — Fri, 13 Aug 2010 19:38:37 GMT

Hello,

First of all, you cannot ping an interface IP from workstations connected to

a different interface. The firewall natively blocks that traffic for

security reasons.

I see from your packet tracer that you are trying to ping 10.10.200.1 IP. I

am not seeing that IP in your configuration (may be I am missing something).

Can you please post your current running configuration here?

Regards,