Solved: Not if you can't post the

Eduardo Guerra · ‎04-30-2014

I have an ASA5510, i configured an Outside, 1 DMZ and 2 interfaces 100 security level (Outside1 and Inside). I can ping and have fluid traffic between DMZ and Inside interface, but don't have any kind of traffic between DMZ and the Outside1. I wrote the same configuration for both 100 Security Level interfaces. Also I have connected a Cisco 892 router to Outside1. When i have attached a computer instead of 892, traffic between Outside1 and DMZ is fluid. i need to have fluid traffic between networks connected to 892

Someone can help me? Here are the 2 configs:

ASA5510:

: Saved

:

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name a.b.c

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address x.y.z.162 255.255.255.248

!

interface Ethernet0/1

nameif Outside1

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 10

ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit tcp host 172.16.31.2 any eq domain

access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp

access-list dmz_in extended permit tcp host 172.16.31.2 any eq www

access-list dmz_in extended permit tcp host 172.16.31.2 any eq https

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host x.y.z.163 eq smtp

access-list 100 extended permit udp any host x.y.z.163 eq domain

access-list 100 extended permit tcp any host x.y.z.163 eq https

access-list 100 extended permit tcp any host x.y.z.163 eq www

access-list 100 extended permit tcp any host x.y.z.163 eq 3000

access-list 100 extended permit tcp any host x.y.z.163 eq 1000

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 192.168.0.22 Outside

icmp permit 192.168.0.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Outside1

icmp permit 172.16.31.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 DMZ

icmp permit 192.168.2.0 255.255.255.0 Inside

icmp permit 192.168.0.0 255.255.255.0 Inside

icmp permit 172.16.31.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Outside1) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) x.y.z.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Outside1,Inside) 172.1.1.0 172.1.1.0 netmask 255.255.255.0

static (DMZ,Outside1) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Outside1,Inside) 172.1.2.0 172.1.2.0 netmask 255.255.255.0

static (Outside1,Inside) 172.1.3.0 172.1.3.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (Outside1,DMZ) 172.1.1.0 172.1.1.0 netmask 255.255.255.0

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 x.y.z.161 20

route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1

route Outside1 172.1.2.0 255.255.255.0 192.168.2.2 1

route Outside1 172.1.3.0 255.255.255.0 192.168.2.2 1

route Outside1 192.1.0.0 255.255.192.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7441424d1fcf87c3eb837b569e84aa9e

: end

Cisco 892:

Current configuration : 3296 bytes
!
! Last configuration change at 01:15:13 UTC Tue Apr 29 2014 by eguerra
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterHQFCH
!
boot-start-marker
boot-end-marker
!
!
enable secret 4
!
no aaa new-model
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-1580540949
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1580540949
revocation-check none
rsakeypair TP-self-signed-1580540949
!
!
crypto pki certificate chain TP-self-signed-1580540949
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353830 35343039 3439301E 170D3134 30343134 31393433
30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35383035
34303934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BC61 7D5F7F47 65203EC9 1207B83F 19EC7AC3 00404F99 A89FD64B 1F0F659F
E99062C2 3BB1E517 075BAF59 D361FFC9 4F872A14 A7528061 CF936F40 D03F234B
5641147F D2B4AB7D 9E10F36A 087F511B F68ABC6E 98F96C74 8EF5084B F490D91B
0EC05671 D8C5B7DD EE8F48C2 CD76F7C9 B8405DD6 42375B3C 8D04FDEF 555D0FA0
0FDF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14FCB587 54EE2C1B 2B6DB648 A6FC0ECF 85062C8F 6A301D06
03551D0E 04160414 FCB58754 EE2C1B2B 6DB648A6 FC0ECF85 062C8F6A 300D0609
2A864886 F70D0101 05050003 81810033 A196E361 A273E890 146EF605 D7AB9235
52BA28F8 A526D8AE CD903257 E4E81C76 C85FBCD4 201DFF90 11FB1617 9210037E
B66299B3 FB2173D2 AFEC9B52 D2221BEA 9B8CC180 BE36F3AB D5811F9F 401043B0
4BDA8647 897D8FE7 6D753C4F 3C76A493 2C260C22 24E966EB BEE54A2A 51D58F21
23080B9D 9C5FD690 62C6B0C9 30C3AA
quit
license udi pid C892FSP-K9 sn FTX180484TB
!
!
username servicios privilege 15 password 7
username eguerra privilege 15 password 7
!
!
!
!
!
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
switchport access vlan 2
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 172.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet9
ip address 172.1.2.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.2.2 255.255.255.0
!
interface Vlan2
ip address 192.168.100.200 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip route 172.16.31.0 255.255.255.0 192.168.2.1
ip route 192.168.0.0 255.255.255.0 192.168.2.1
!
!
!
control-plane
!
!
!
line con 0
password 7
login
no modem enable
line aux 0
line vty 0 4
password 7
login local
transport input all
!
scheduler allocate 20000 1000
!
end

Thanks in advance

jumora · ‎05-14-2014

FYI, we got this working!

Please mark this as answered please!

Value our effort and rate the assistance!

View solution in original post

Marvin Rhoads · ‎04-30-2014

The routes on the ASA that use Outside1 are set to your router's VLAN1 address at 192.168.2.2. Can you confirm that you can ping that address when your ASA is connected to the router?

Eduardo Guerra · ‎04-30-2014

When I add the following line in 892 i can ping from ASA:

access-list 101 permit ip any any

jumora · ‎04-30-2014

So, my question would be, why are you configuring same security traffic interfaces? What are you trying to accomplish?

Value our effort and rate the assistance!

Eduardo Guerra · ‎04-30-2014

Well, Outside1 will be connected to our branch offices. Those offices will be connected by Antennas and Optical Fiber. Those branch offices must connect just to Inside and DMZ, cannot use Internet

jumora · ‎04-30-2014

If it's a branch office then I guess that it would be best to actually maintain a security level lower than inside and then filter via ACL to witch address your branch office should access.

Suggestion: Security level 95 and specify corresponding NAT or NAT exemptions needed.

If you need help setting this up please let me know.

Value our effort and rate the assistance!

Eduardo Guerra · ‎04-30-2014

Yes Jumora, i will need help on this

jumora · ‎04-30-2014

If you can give me details I can help you out. If you feel that posting directly on the forum might not be the best then just email me and I can look a what you are trying to accomplish.

FYI: I work at Cisco

Value our effort and rate the assistance!

Eduardo Guerra · ‎04-30-2014

Doesn't matter if use this post. Info can be sueful for other users

jumora · ‎04-30-2014

Not if you can't post the information, see forums are mostly used to ask questions without having to print out network details, but if it's not confidential information then please go ahead and post.

Value our effort and rate the assistance!

Eduardo Guerra · ‎05-01-2014

Jumora, I don't see any confidential info, but if you want, can write me to rrhhempservit@gmail.com

jumora · ‎05-01-2014

Maybe I did not understand what you are trying to accomplish. What I mentioned was to make your ACL configuration better, meaning more secure. Changing the security level just helps understand that you are not coming from a site that does not require ACLs, thus from lower to higher security interfaces you need to place ACLs, then there is a hole other world regarding NAT/PAT that involve same security interfaces that sometimes confuse customers so I also wanted to avoid that for you.

To enforce security between interfaces you need to know what protocols and ports are being used by servers that reside behind the higher security interface so you only open what is needed then block the rest to that higher security interface.

Value our effort and rate the assistance!

Eduardo Guerra · ‎05-01-2014

Jumora, i understood what you are trying to do. You will help me to secure this infrastructure and help me correcting problems i have. I am agree with things you are trying to do. Please give me your email and i will write ASAP.

Thanks in advance

Eduardo Guerra · ‎05-02-2014

Jumora, are you connected?, I've already sent email

jumora · ‎05-14-2014

FYI, we got this working!

Please mark this as answered please!

Value our effort and rate the assistance!

No traffic from Outside1 (Security level 100) attached Networks to DMZ and Viceversa