Allow Traffic between subnets on ASA 5515x (9.1)

Christopher Gutierrez · ‎02-13-2014

Hello,

I'm Christopher and i am configuring an ASA 5515 with subnets across of subinterfaces (vlans). everything works fine, but are not subnets, ie no traffic between them. I hit the config for you to see if something is missing.

ASA Version 9.1(1)

!

hostname FWAISerena

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

ddns update method xxxxxxxx.no-ip.xxx

ddns both

interval maximum 0 0 1 0

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ddns update hostname xxxxxxxx.no-ip.xxx

ddns update xxxxxxxx.no-ip.xxx

dhcp client update dns

ip address dhcp

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.10

vlan 10

nameif inside_servidores

security-level 100

ip address 172.16.10.1 255.255.255.0

!

interface GigabitEthernet0/1.11

vlan 11

nameif inside_lan

security-level 100

ip address 172.16.11.1 255.255.255.0

!

interface GigabitEthernet0/1.12

vlan 12

nameif inside_wifiusuarios

security-level 100

ip address 172.16.12.1 255.255.255.0

!

interface GigabitEthernet0/1.13

vlan 13

nameif inside_wifipublico

security-level 100

ip address 172.16.13.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 10.200.200.1 255.255.255.0

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

object network obj_servidores_any

subnet 0.0.0.0 0.0.0.0

object network obj_lan_any

subnet 0.0.0.0 0.0.0.0

object network obj_wifiusuarios_any

subnet 0.0.0.0 0.0.0.0

object network obj_wifipublico_any

subnet 0.0.0.0 0.0.0.0

access-list inside_servidores_access_in extended permit icmp any any

access-list inside_servidores_access_in extended permit ip 10.0.0.0 255.0.0.0 any

access-list inside_servidores_access_in extended permit ip 172.16.0.0 255.240.0.0 any

access-list inside_servidores_access_in extended permit ip 192.168.0.0 255.255.0.0 any

access-list inside_servidores_access_in extended permit ip 172.16.10.0 255.255.255.0 any

access-list inside_wifipublico_access_in extended permit icmp any any

access-list inside_wifipublico_access_in extended permit ip 10.0.0.0 255.0.0.0 any

access-list inside_wifipublico_access_in extended permit ip 172.16.0.0 255.240.0.0 any

access-list inside_wifipublico_access_in extended permit ip 192.168.0.0 255.255.0.0 any

access-list inside_wifipublico_access_in extended permit ip 172.16.13.0 255.255.255.0 any

access-list inside_wifiusuarios_access_in extended permit icmp any any

access-list inside_wifiusuarios_access_in extended permit ip 10.0.0.0 255.0.0.0 any

access-list inside_wifiusuarios_access_in extended permit ip 172.16.0.0 255.240.0.0 any

access-list inside_wifiusuarios_access_in extended permit ip 192.168.0.0 255.255.0.0 any

access-list inside_wifiusuarios_access_in extended permit ip 172.16.12.0 255.255.255.0 any

access-list outside_access_in extended permit icmp any any

access-list inside_lan_access_in extended permit icmp any any

access-list inside_lan_access_in extended permit ip 10.0.0.0 255.0.0.0 any

access-list inside_lan_access_in extended permit ip 172.16.0.0 255.240.0.0 any

access-list inside_lan_access_in extended permit ip 192.168.0.0 255.255.0.0 any

access-list inside_lan_access_in extended permit ip 172.16.11.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside_servidores 1500

mtu inside_lan 1500

mtu inside_wifiusuarios 1500

mtu inside_wifipublico 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_servidores_any

nat (inside_servidores,outside) dynamic interface

object network obj_lan_any

nat (inside_lan,outside) dynamic interface

object network obj_wifiusuarios_any

nat (inside_wifiusuarios,outside) dynamic interface

object network obj_wifipublico_any

nat (inside_wifipublico,outside) dynamic interface

access-group outside_access_in in interface outside

access-group inside_servidores_access_in in interface inside_servidores

access-group inside_lan_access_in in interface inside_lan

access-group inside_wifiusuarios_access_in in interface inside_wifiusuarios

access-group inside_wifipublico_access_in in interface inside_wifipublico

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authorization exec authentication-server

http server enable

http 172.16.10.0 255.255.255.0 inside_servidores

http 0.0.0.0 0.0.0.0 outside

http 10.200.200.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 190.98.204.80 255.255.255.248 outside

ssh 172.16.10.0 255.255.255.0 inside_servidores

ssh 10.200.200.0 255.255.255.0 management

ssh timeout 5

console timeout 0

dhcpd address 172.16.11.20-172.16.11.250 inside_lan

dhcpd dns 8.8.8.8 interface inside_lan

dhcpd enable inside_lan

!

dhcpd address 172.16.12.20-172.16.12.250 inside_wifiusuarios

dhcpd dns 8.8.8.8 interface inside_wifiusuarios

dhcpd enable inside_wifiusuarios

!

dhcpd address 172.16.13.20-172.16.13.250 inside_wifipublico

dhcpd dns 8.8.8.8 interface inside_wifipublico

dhcpd enable inside_wifipublico

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username cgutierrez password 9Aqxz2z4OgSesddB encrypted privilege 15

username admin password vAMrCPJV5P3jmuKo encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:4441640901d46fe224f7574fd2db08f9

: end

Jouni Forss · ‎02-13-2014

Hi,

Seems on quick glance that all your interfaces are set to "security-level 100"

To enable traffic between interfaces of equal "security-level" you will have to configure the following command

same-security-traffic permit inter-interface

Even if you have the interface ACLs configured to allow the traffic you will need the above command.

This is usually hard to troubleshoot with the ASA logs or even the "packet-tracer" test unless you know this sort of limitation exists.

Hope this helps

Let me know how it goes

- Jouni

Mohammed Yusuf · ‎02-13-2014

I have got similar but not same on ASA 5505 firewall 9.1.

How can I just allow DMZ and Production on two ports for WiFi access point and seprate the traffic so DMZ traffic does not access Production network/subnet. Production network is Vlan1 and DMZ is Vlan 3 on ASA5505.