02-01-2012 12:17 PM - edited 03-11-2019 03:22 PM
We recently upgraded a ASA 5505 with the security plus license to allow us to add a second subnet, but are having a few problems configuring the second subnet. The original subnet we have configured 10.1.1.0 is able to access the internet without any problems. However the new subnet 10.1.5.0 is unable to access the internet and when we ran a trace packet the nat config nat (inside) 1 0.0.0.0 0.0.0.0 is showing as the rule that drops the packet.
Additionally we have not been able to get the 2 subnets to talk to each other even though same-security-traffic permit inter-interface is configured. Any suggestions on configuring the subnet 10.1.5.0 to access the internet or to get the subnets to communicate would be appreciated. Below is a streamlined version of our current config.
Thanks,
KJ
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 66.66.66.66 255.255.255.240
ospf cost 10
!
interface Vlan13
nameif corporate
security-level 100
ip address 10.1.5.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/5
switchport access vlan 13
speed 100
duplex full
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup corporate
dns server-group DefaultDNS
name-server 10.1.1.10
domain-name test.com
same-security-traffic permit inter-interface
object-group service rdp tcp
description Remote Desktop Protocol
port-object eq 3389
object-group service rsync tcp
description rsync
port-object eq 873
object-group service smb tcp
description smb
port-object eq netbios-ssn
access-list outside_access_in extended permit icmp any any inactive
access-list outside_access_in extended permit tcp any any object-group rsync
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any object-group smb
access-list out_in extended permit tcp any interface outside eq 3389
access-list AXEMP_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.1.1.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list inside_access_in extended permit icmp any any inactive
access-list inside_access_in extended permit tcp any any object-group rsync
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any object-group smb
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list corporate_access_in extended permit icmp any any inactive
access-list corporate_access_in extended permit tcp any any object-group rsync
access-list corporate_access_in extended permit ip any any
access-list corporate_access_in extended permit tcp any any object-group smb
access-list corporate_nat0_outbound extended permit ip any 10.1.1.192 255.255.255.224
access-list corporate_nat0_outbound extended permit ip 10.1.5.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu corporate 1500
ip local pool AXVPNPool 10.1.1.200-10.1.1.210 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface corporate
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (corporate) 0 access-list corporate_nat0_outbound
nat (corporate) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group corporate_access_in in interface corporate
route outside 0.0.0.0 0.0.0.0 63.135.165.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
console timeout 0
!
02-02-2012 12:24 PM
Found the missing exempt rule preventing the subnets, but I am still unable to connect to the dns server in second subnet. I must still be missing an access rule in the security policy. Latest packet tracer is below.
Result of the command: "packet-tracer input corporate udp 10.1.5.101 1025 10.1.1.89 53"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.1.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group corporate_access_in in interface corporate
access-list corporate_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
service-policy global_policy global
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip corporate 10.1.5.0 255.255.255.0 inside 10.1.1.0 255.255.255.0
NAT exempt
translate_hits = 480, untranslate_hits = 15
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (corporate) 1 0.0.0.0 0.0.0.0
match ip corporate any inside any
dynamic translation to pool 1 (10.1.1.1 [Interface PAT])
translate_hits = 51, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (corporate) 1 0.0.0.0 0.0.0.0
match ip corporate any inside any
dynamic translation to pool 1 (10.1.1.1 [Interface PAT])
translate_hits = 51, untranslate_hits = 0
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any corporate any
dynamic translation to pool 1 (10.1.5.1 [Interface PAT])
translate_hits = 17, untranslate_hits = 0
Additional Information:
Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 63.135.165.110 12356 Ryan 3389 netmask 255.255.255.255
match tcp inside host Ryan eq 3389 outside any
static translation to 63.135.165.110/12356
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 65879, packet dispatched to next module
Result:
input-interface: corporate
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide