Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3371
Views
0
Helpful
1
Replies

ASA 5505 - allow traffic between inside interfaces

sgendron9
Level 1
Level 1

‎11-10-2011 07:16 AM - edited ‎03-11-2019 02:48 PM

Hi All - Cisco ASA Novice here...   I have a question that I'm guessing is pretty straightforward.  I trying to allow traffic between 2 inside interfaces with the same security level.  VLAN1 and VLAN15.  The are on different physical ports on the ASA.  I tried to configure this through the GUI Web interface and checked ' enable traffic between two or more interfaces with the same security levels'.  With this ASA version, I do not need NAT to allow this, correct?  What am I missing?

ASA Version 8.2(1)

!

hostname ciscoasa

enable password UMrZyv1DTPLXGFch encrypted

passwd UMrZyv1DTPLXGFch encrypted

names

name XX.YY.163.39 EDI_XX.YY.163.39

name XX.YY.163.38 EDI2_XX.YY.163.38

name 10.66.91.135 UMASS_10.66.91.135 description UMASS VPN

name 172.16.16.236 EDI2_172.16.16.236 description Polaris EDI2

name 172.16.16.235 EDI_172.16.16.235 description Polaris EDI

name 192.168.25.17 ImagingInst_192.168.25.17 description ImagingInstitute

name 192.168.25.21 ImagingInst_192.168.25.21 description ImagingInstitute

name 192.168.25.22 ImagingInst_192.168.25.22 description ImagingInstitute

name 192.168.25.8 ImagingInst_192.168.25.8 description ImagingInstitute

name 10.88.0.4 UMASS_10.88.0.4 description UMASS VPN

name 10.88.8.80 UMASS_10.88.8.80 description UMASS VPN

name 172.16.16.231 Utility_172.16.16.231 description Testing

name 172.16.16.241 MonitorInt_172.16.16.241 description MonitorInt

name AA.BB.136.26 Monitor_AA.BB.136.26 description Monitor

name AA.BB.154.135 Monitor_AA.BB.154.135 description Monitor

name XX.YY.163.40 Utility_XX.YY.163.40 description Used for  monitoring, and may be used for other

name XX.BB.188.130 Monitor_AA.BB.188.130 description MonitorTest

name 172.16.16.232 Gateway_172.16.16.232

name XX.YY.163.41 Gateway_XX.YY.163.41

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.16.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address XX.YY.163.36 255.255.255.240

!

interface Vlan5

shutdown

nameif dmz

security-level 50

no ip address

!

interface Vlan15

nameif MCBackendTraffic

security-level 100

ip address 172.22.1.220 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 15

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone GMT 0

same-security-traffic permit inter-interface

object-group network ImagingInstGroup

network-object host ImagingInst_192.168.25.17

network-object host ImagingInst_192.168.25.21

network-object host ImagingInst_192.168.25.22

network-object host ImagingInst_192.168.25.8

object-group service EDI2_Ports tcp

port-object eq https

port-object eq ssh

object-group service EDI_Ports tcp

port-object eq ftp

port-object eq ftp-data

port-object eq https

object-group network DM_INLINE_NETWORK_1

network-object host UMASS_10.66.91.135

network-object host UMASS_10.88.0.4

network-object host UMASS_10.88.8.80

object-group network DM_INLINE_NETWORK_2

network-object host Monitor_XX.YY.136.26

network-object host Monitor_XX.YY.154.135

network-object host Monitor_XX.YY.188.130

object-group service Monitor_Ports

service-object tcp-udp range 48000 48020

service-object tcp eq ssh

service-object udp eq snmp

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list outside_1_cryptomap extended permit ip 172.16.16.0 255.255.255.0 10.242.55.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 10.242.55.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host EDI2_172.16.16.236 host UMASS_10.66.91.135

access-list inside_nat0_outbound extended permit ip host EDI2_172.16.16.236 object-group ImagingInstGroup

access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list inside_nat0_outbound extended permit ip any 172.16.16.96 255.255.255.240

access-list outside_access_in extended permit tcp any host EDI2_XX.YY.163.38 object-group EDI2_Ports

access-list outside_access_in extended permit tcp any host EDI_XX.YY.163.39 object-group EDI_Ports

access-list outside_access_in extended permit object-group Monitor_Ports object-group DM_INLINE_NETWORK_2 host Utility_XX.YY.163.40

access-list outside_access_in extended permit tcp any host Gateway_XX.YY.163.41 object-group DM_INLINE_TCP_1

access-list outside_2_cryptomap extended permit ip 172.16.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list outside_3_cryptomap extended permit ip 172.16.16.0 255.255.255.0 object-group ImagingInstGroup

access-list throttle_edi_servers extended permit ip host EDI2_XX.YY.163.38 any

access-list throttle_edi_servers extended permit ip any host EDI2_XX.YY.163.38

access-list throttle_edi_servers extended permit ip host EDI_XX.YY.163.39 any

access-list throttle_edi_servers extended permit ip any host EDI_XX.YY.163.39

access-list RemoteAccessVPN_splitTunnelAcl standard permit 172.16.16.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging asdm warnings

logging mail errors

logging from-address noreply@utility..com

logging recipient-address aa@bb.com level errors

logging host inside Utility_172.16.16.231

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu MCBackendTraffic 1500

ip local pool VPNPool 172.16.16.101-172.16.16.111 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) EDI_XX.YY.163.39 EDI_172.16.16.235 netmask 255.255.255.255

static (inside,outside) EDI2_XX.YY.163.38 EDI2_172.16.16.236 netmask 255.255.255.255

static (inside,outside) Utility_XX.YY.163.40 MonitorInt_172.16.16.241 netmask 255.255.255.255

static (inside,outside) Gateway_XX.YY.163.41 Gateway_172.16.16.232 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 XX.YY.163.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.16.16.0 255.255.255.0 inside

http 10.242.55.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer AA.CC.125.146

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer AA.CC.139.26

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set peer AA.CC.56.227

crypto map outside_map 3 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 172.16.16.0 255.255.255.0 inside

telnet 10.242.55.0 255.255.255.0 outside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns XX.YY.136.155 XX.YY.136.100

dhcpd auto_config outside

!

dhcpd address 172.16.16.5-172.16.16.100 inside

dhcpd dns XX.YY.136.155 XX.YY.136.100 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec svc

group-policy RemoteAccessVPN internal

group-policy RemoteAccessVPN attributes

dns-server value 172.16.16.230

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteAccessVPN_splitTunnelAcl

default-domain value .com

username remote password HP6P1nlQDIJY7Y8G encrypted privilege 0

username remote attributes

vpn-group-policy RemoteAccessVPN

tunnel-group AA.CC.125.146 type ipsec-l2l

tunnel-group AA.CC.125.146 ipsec-attributes

pre-shared-key *

tunnel-group AA.CC.139.26 type ipsec-l2l

tunnel-group AA.CC.139.26 ipsec-attributes

pre-shared-key *

tunnel-group AA.CC.56.227 type ipsec-l2l

tunnel-group AA.CC.56.227 ipsec-attributes

pre-shared-key *

tunnel-group RemoteAccessVPN type remote-access

tunnel-group RemoteAccessVPN general-attributes

address-pool VPNPool

default-group-policy RemoteAccessVPN

tunnel-group RemoteAccessVPN ipsec-attributes

pre-shared-key *

!

class-map throttle-me

match access-list throttle_edi_servers

!

!

policy-map throttle-policy

class throttle-me

  police output 524000 4000

  police input 524000 4000

!

service-policy throttle-policy interface outside

smtp-server 172.16.16.231

prompt hostname context

Cryptochecksum:884757d08c2dab5220a40758f543f8fb

: end

Labels:
0 Helpful
1 Reply 1

sgendron9
Level 1
Level 1

‎11-10-2011 07:35 AM

Would this work?

access-list nonat extended permit ip 172.22.1.0 255.255.0.0 172.16.16.0 255.255.255.0

access-list nonat extended permit ip 172.16.16.0 255.255.255.0 172.22.1.0 255.255.0.0

nat (inside) 0 access-list nonat

nat (MCBackendTraffic) 0 access-list nonat

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card