04-30-2014 11:58 AM - edited 03-11-2019 09:08 PM
I have an ASA5510, i configured an Outside, 1 DMZ and 2 interfaces 100 security level (Outside1 and Inside). I can ping and have fluid traffic between DMZ and Inside interface, but don't have any kind of traffic between DMZ and the Outside1. I wrote the same configuration for both 100 Security Level interfaces. Also I have connected a Cisco 892 router to Outside1. When i have attached a computer instead of 892, traffic between Outside1 and DMZ is fluid. i need to have fluid traffic between networks connected to 892
Someone can help me? Here are the 2 configs:
ASA5510:
: Saved
:
ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name a.b.c
enable password 6Jfo5anznhoG00fM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.y.z.162 255.255.255.248
!
interface Ethernet0/1
nameif Outside1
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name farmaciachavez.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list dmz_in extended permit tcp host 172.16.31.2 any eq domain
access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp
access-list dmz_in extended permit tcp host 172.16.31.2 any eq www
access-list dmz_in extended permit tcp host 172.16.31.2 any eq https
access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000
access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list 100 extended permit tcp any host x.y.z.163 eq smtp
access-list 100 extended permit udp any host x.y.z.163 eq domain
access-list 100 extended permit tcp any host x.y.z.163 eq https
access-list 100 extended permit tcp any host x.y.z.163 eq www
access-list 100 extended permit tcp any host x.y.z.163 eq 3000
access-list 100 extended permit tcp any host x.y.z.163 eq 1000
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Outside1 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 192.168.0.22 Outside
icmp permit 192.168.0.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 Outside1
icmp permit 172.16.31.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 DMZ
icmp permit 192.168.2.0 255.255.255.0 Inside
icmp permit 192.168.0.0 255.255.255.0 Inside
icmp permit 172.16.31.0 255.255.255.0 Inside
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Outside1) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ,Outside) x.y.z.163 172.16.31.0 netmask 255.255.255.255
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Outside1,Inside) 172.1.1.0 172.1.1.0 netmask 255.255.255.0
static (DMZ,Outside1) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Outside1,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Outside1,Inside) 172.1.2.0 172.1.2.0 netmask 255.255.255.0
static (Outside1,Inside) 172.1.3.0 172.1.3.0 netmask 255.255.255.0
static (Outside1,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (Outside1,DMZ) 172.1.1.0 172.1.1.0 netmask 255.255.255.0
access-group dmz_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 x.y.z.161 20
route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1
route Outside1 172.1.2.0 255.255.255.0 192.168.2.2 1
route Outside1 172.1.3.0 255.255.255.0 192.168.2.2 1
route Outside1 192.1.0.0 255.255.192.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7441424d1fcf87c3eb837b569e84aa9e
: end
Cisco 892:
Current configuration : 3296 bytes
!
! Last configuration change at 01:15:13 UTC Tue Apr 29 2014 by eguerra
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterHQFCH
!
boot-start-marker
boot-end-marker
!
!
enable secret 4
!
no aaa new-model
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-1580540949
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1580540949
revocation-check none
rsakeypair TP-self-signed-1580540949
!
!
crypto pki certificate chain TP-self-signed-1580540949
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353830 35343039 3439301E 170D3134 30343134 31393433
30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35383035
34303934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BC61 7D5F7F47 65203EC9 1207B83F 19EC7AC3 00404F99 A89FD64B 1F0F659F
E99062C2 3BB1E517 075BAF59 D361FFC9 4F872A14 A7528061 CF936F40 D03F234B
5641147F D2B4AB7D 9E10F36A 087F511B F68ABC6E 98F96C74 8EF5084B F490D91B
0EC05671 D8C5B7DD EE8F48C2 CD76F7C9 B8405DD6 42375B3C 8D04FDEF 555D0FA0
0FDF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14FCB587 54EE2C1B 2B6DB648 A6FC0ECF 85062C8F 6A301D06
03551D0E 04160414 FCB58754 EE2C1B2B 6DB648A6 FC0ECF85 062C8F6A 300D0609
2A864886 F70D0101 05050003 81810033 A196E361 A273E890 146EF605 D7AB9235
52BA28F8 A526D8AE CD903257 E4E81C76 C85FBCD4 201DFF90 11FB1617 9210037E
B66299B3 FB2173D2 AFEC9B52 D2221BEA 9B8CC180 BE36F3AB D5811F9F 401043B0
4BDA8647 897D8FE7 6D753C4F 3C76A493 2C260C22 24E966EB BEE54A2A 51D58F21
23080B9D 9C5FD690 62C6B0C9 30C3AA
quit
license udi pid C892FSP-K9 sn FTX180484TB
!
!
username servicios privilege 15 password 7
username eguerra privilege 15 password 7
!
!
!
!
!
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
switchport access vlan 2
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 172.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet9
ip address 172.1.2.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.2.2 255.255.255.0
!
interface Vlan2
ip address 192.168.100.200 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip route 172.16.31.0 255.255.255.0 192.168.2.1
ip route 192.168.0.0 255.255.255.0 192.168.2.1
!
!
!
control-plane
!
!
!
line con 0
password 7
login
no modem enable
line aux 0
line vty 0 4
password 7
login local
transport input all
!
scheduler allocate 20000 1000
!
end
Thanks in advance
Solved! Go to Solution.
05-14-2014 02:22 PM
FYI, we got this working!
Please mark this as answered please!
04-30-2014 01:22 PM
The routes on the ASA that use Outside1 are set to your router's VLAN1 address at 192.168.2.2. Can you confirm that you can ping that address when your ASA is connected to the router?
04-30-2014 02:05 PM
When I add the following line in 892 i can ping from ASA:
access-list 101 permit ip any any
04-30-2014 02:11 PM
So, my question would be, why are you configuring same security traffic interfaces? What are you trying to accomplish?
04-30-2014 02:26 PM
Well, Outside1 will be connected to our branch offices. Those offices will be connected by Antennas and Optical Fiber. Those branch offices must connect just to Inside and DMZ, cannot use Internet
04-30-2014 02:35 PM
If it's a branch office then I guess that it would be best to actually maintain a security level lower than inside and then filter via ACL to witch address your branch office should access.
Suggestion: Security level 95 and specify corresponding NAT or NAT exemptions needed.
If you need help setting this up please let me know.
04-30-2014 02:38 PM
Yes Jumora, i will need help on this
04-30-2014 02:46 PM
If you can give me details I can help you out. If you feel that posting directly on the forum might not be the best then just email me and I can look a what you are trying to accomplish.
FYI: I work at Cisco
04-30-2014 02:48 PM
Doesn't matter if use this post. Info can be sueful for other users
04-30-2014 03:03 PM
Not if you can't post the information, see forums are mostly used to ask questions without having to print out network details, but if it's not confidential information then please go ahead and post.
05-01-2014 08:23 AM
Jumora, I don't see any confidential info, but if you want, can write me to rrhhempservit@gmail.com
05-01-2014 09:11 AM
Maybe I did not understand what you are trying to accomplish. What I mentioned was to make your ACL configuration better, meaning more secure. Changing the security level just helps understand that you are not coming from a site that does not require ACLs, thus from lower to higher security interfaces you need to place ACLs, then there is a hole other world regarding NAT/PAT that involve same security interfaces that sometimes confuse customers so I also wanted to avoid that for you.
To enforce security between interfaces you need to know what protocols and ports are being used by servers that reside behind the higher security interface so you only open what is needed then block the rest to that higher security interface.
05-01-2014 09:27 AM
Jumora, i understood what you are trying to do. You will help me to secure this infrastructure and help me correcting problems i have. I am agree with things you are trying to do. Please give me your email and i will write ASAP.
Thanks in advance
05-02-2014 07:27 AM
Jumora, are you connected?, I've already sent email
05-14-2014 02:22 PM
FYI, we got this working!
Please mark this as answered please!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide