01-06-2016 10:07 AM - edited 03-12-2019 12:07 AM
Hi,
I am configuring a firewall which has four zones:
1. DC-INSIDE (security-level 50)
2. DC-OUTSIDE (security-level 50)
3. DC-DMZ-ZONE (security-level 90)
4. DC-SERVER-ZONE (security-level 100)
I created the below ACLs for all users can access all zones:
access-list DC-OUTSIDE_ACCESS_IN extended permit ip any any
access-list DC-INSIDE_ACCESS_IN extended permit ip any any
access-list DC-DMZ-ZONE_ACCESS_IN extended permit ip any any
access-list DC-SERVER-ZONE_ACCESS_IN extended permit ip any any
access-group DC-OUTSIDE_ACCESS_IN in interface DC-OUTSIDE
access-group DC-INSIDE_ACCESS_IN in interface DC-INSIDE
access-group DC-DMZ-ZONE_ACCESS_IN in interface DC-DMZ-ZONE
access-group DC-SERVER-ZONE_ACCESS_IN in interface DC-SERVER-ZONE
Problems:
1. I cannot access DC-INSIDE to DC-OUTSIDE
2. I cannot access DC-SERVER-ZONE to DC-OUTSIDE
3. I cannot access DC-DMZ-ZONE to DC-OUTSIDE
***(N.B.: I only get access DC-OUTSIDE to DC-INSIDE and DC-OUTSIDE to DC-SERVER-ZONE)
Is there any mistake in ACLs?
If there is any mistake, please let me know and suggest me the solution.
Thanking You-
Azizur Rahman
01-06-2016 10:20 AM
Hi Azizur,
By default the ASA will not permit traffic between interfaces (or sub-interfaces) with the same security level, or for that matter hairpin traffic. You can either change the security levels of the interfaces or use the 'same-security-traffic permit inter-interface' command in global config mode. This will solve your DC-INSIDE to DC-OUTSIDE problem.
as for your other problems ensure routing is in place and I recommend using the 'packet-tracer' command to see where the problem lies.
Gareth
01-06-2016 10:32 AM
Yes Gareth,
I know that by default the ASA will not permit traffic between interfaces (or sub-interfaces) with the same security level. To communicate between two same security level zone, I use "same-security-traffic permit inter-interface" commend.
Gareth, one thing I would like to mention that I can access (ping) DC-OUTSIDE to DC-INSIDE and both are in same security level (50). So I think it is working. but I cannot get ping DC-INSIDE to DC-OUTSIDE, DC-SERVER-ZONE to DC-OUTSIDE and DC-DMZ-ZONE to DC-OUTSIDE.
Thanking You-
Azizur Rahman
01-06-2016 10:35 AM
Hi Azizur,
Could you post interface configurations and 'show route' and 'show arp' output please? also what are the addresses of the devices on each interface you are trying to ping from/to?
thanks,
Gareth
01-06-2016 11:08 AM
Hi Gareth,
Please find the attachments.
Ping Test:
1. From 10.10.3.3 to 10.10.1.1===ok
2. From 10.10.1.1 to 10.10.3.3, 10.10.3.5 (standby)===Not ok
3. From 10.10.3.3 to 10.10.2.1===ok
4. From 10.10.2.1 to 10.10.3.3===Not ok
5. From 10.10.3.3 to 192.168.102.254===ok
6. From 192.168.102.254 to 10.10.3.3===not ok
Thanking You-
Azizur Rahman
01-06-2016 11:22 AM
Hi Azizur,
Could you run the commands:
packet-tracer input DC-INSIDE tcp 10.10.1.1 50000 10.10.3.3 443 detailed
packet-tracer input DC-INSIDE tcp 10.10.2.1 50000 10.10.3.3 443 detailed
packet-tracer input DC-INSIDE tcp 192.168.102.254 50000 10.10.3.3 443 detailed
and post the output please?
Gareth
01-06-2016 12:33 PM
apply this command:
same-security permit inter-interface
Thanks,
Sarabjit
Please rate it if helpful.
01-06-2016 12:37 PM
ignore my previous comments , it already has been suggested.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide