ASA 5510 2 Internet Interfases Without Traffic - Cisco Community

1070

Views

16

Helpful

9

Replies

Hi, i need to route to subnets form 2 diferents ASA interfases. The ASA also has an outside interfase works like gateway for internet access.

Here is my configuraition

ASA Version 8.2(1)

!

hostname ICE3

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 201.199.xxx.xx 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.1.x 255.255.255.0

!

interface Ethernet0/2

nameif

security-level 100

ip address 0.0.0.0 0.0.0.0

!

interface Ethernet0/3

nameif Wireless

security-level 100

ip address 192.168.1.2 255.255.255.0

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns domain-lookup outside

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service web-ports tcp

port-object eq https

port-object eq www

object-group network Wireless

network-object host 192.168.1.1

access-list outbound extended permit ip object-group trusted any

access-list outbound extended permit tcp object-group web-servers any object-group web-ports

access-list outbound extended permit tcp 10.1.1.0 255.255.255.0 any object-group general-access

access-list outbound extended permit tcp host 201.199.xxx.xx any object-group web-ports

access-list inside_access_in extended permit ip object-group trusted any

access-list inside_access_in extended permit ip object-group DNS-Servers any log disable inactive

access-list inside_access_in extended permit ip any any inactive

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list Wireless_access_in extended permit ip any any

!

tcp-map TCPMAP

reserved-bits clear

synack-data allow

invalid-ack allow

seq-past-window allow

urgent-flag allow

!

pager lines 24

logging enable

logging list configLog level debugging class auth

logging list configLog level debugging class config

logging list system-IDSLog level informational class ids

logging list system-IDSLog level informational class sys

logging buffer-size 10000

logging asdm informational

no logging message 111008

no logging message 111007

mtu outside 1500

mtu inside 1500

mtu ISA 1500

mtu management 1500

mtu Wireless 1500

ip audit name attackPolicy attack action alarm drop

ip audit name antiSnifferPolicy info action drop

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 10 interface

nat (inside) 1 10.1.1.0 255.255.255.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group Wireless_access_in in interface Wireless

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community DotNet

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

sysopt connection tcpmss 0

service resetinbound interface ISA

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn 201.199.xxx.xx

subject-name CN=201.199.xxx.xx

ip-address 201.199.xxx.xx

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 0efba950

30820227 30820190 a0030201 0202040e fba95030 0d06092a 864886f7 0d010104

05003058 31183016 06035504 03130f32 30312e31 39392e31 33352e31 3134313c

301c0609 2a864886 f70d0109 02160f32 30312e31 39392e31 33352e31 3134301c

06092a86 4886f70d 01090813 0f323031 2e313939 2e313335 2e313134 301e170d

31323131 31393039 32353334 5a170d32 32313131 37303932 3533345a 30583118

30160603 55040313 0f323031 2e313939 2e313335 2e313134 313c301c 06092a86

4886f70d 01090216 0f323031 2e313939 2e313335 2e313134 301c0609 2a864886

f70d0109 08130f32 30312e31 39392e31 33352e31 31343081 9f300d06 092a8648

86f70d01 01010500 03818d00 30818902 818100e4 52687fe4 bc46d95c bb14cb51

c9ba2757 692683e2 315fb2cb 585c9785 295e9090 88dea89d 5a1497f5 49107a1f

ea35d71b fd05d9ff 68766519 652f1ff9 d19dc584 310312b2 b369673f 70db355a

8d1e0a5e 4c825c27 7ad5e4f6 d36cbda7 b4ad77a5 f490d942 2ef2488a bcb97b3f

5795bbcd 5f5b5c5a ff965272 2c8deaa5 2aa78902 03010001 300d0609 2a864886

f70d0101 04050003 8181003b ef56a23a 6637ab51 4660e6ef 67833dc4 6fb836c7

a0130247 a9b56f10 4ebe4214 0956aac8 f864b9bf 7af668d7 766b04c2 f5661fda

93da385e 2d0bdf7a 41c75c86 ebdfd48c ea873cce 291ee10c 8bd75a69 cc68540a

f01b8380 de3c72c0 3a6e5201 f8631e34 596ac1aa 8eb09de6 4c40265d 0533288a

76e9dc77 fc64af00 2a2874

quit

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh 10.1.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 inside

ssl trust-point ASDM_TrustPoint0 outside

!

class-map inspection_default

match any

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

!

service-policy global_policy global

smtp-server 10.1.1.xx

prompt hostname context

Cryptochecksum:f797f6e302a487264396e7a8509d61bf

Thanks in advance

9 Replies 9

you will need to add static route for that, if you want to route to the outside interface then you will need to add a default route, from and to which subnets are you trying to route?

Hi Thanks im trying to route from wireless interfase to Inside and viseversa

Hello Oscar,

Add the following:.

access-list inside_access_in extended permit ip any any

static (inside,wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

static (wireless,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Do that and let me know the results,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi thanks, i got SYN Timeout

Hello Oscar do the following:

packet-tracer input inside tcp 10.1.1.15 1025 192.168.1.20 80

packet-tracer input wireless tcp 192.168.1.20 1025 10.1.1.15 80

Provide the entire output of each of them and I will get back to you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks Julio here is the output

Result of the command: "packet-tracer input inside tcp 10.1.1.15 1025 192.168.1.20 80"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (Wireless,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

match ip Wireless 192.168.1.0 255.255.255.0 inside any

static translation to 192.168.1.0

translate_hits = 0, untranslate_hits = 124

Additional Information:

NAT divert to egress interface Wireless

Untranslate 192.168.1.0/0 to 192.168.1.0/0 using netmask 255.255.255.0

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map inspection_default

match any

policy-map global_policy

class inspection_default

inspect ftp

service-policy global_policy global

Additional Information:

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip inside 10.1.1.0 255.255.255.0 Wireless 192.168.1.0 255.255.255.0

NAT exempt

translate_hits = 57, untranslate_hits = 0

Additional Information:

Phase: 8

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

match ip inside 10.1.1.0 255.255.255.0 Wireless any

static translation to 10.1.1.0

translate_hits = 25, untranslate_hits = 6442

Additional Information:

Phase: 10

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

match ip inside 10.1.1.0 255.255.255.0 Wireless any

static translation to 10.1.1.0

translate_hits = 25, untranslate_hits = 6442

Additional Information:

Phase: 11

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (Wireless,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

match ip Wireless 192.168.1.0 255.255.255.0 inside any

static translation to 192.168.1.0

translate_hits = 0, untranslate_hits = 124

Additional Information:

Phase: 12

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (Wireless,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

match ip Wireless 192.168.1.0 255.255.255.0 inside any

static translation to 192.168.1.0

translate_hits = 0, untranslate_hits = 124

Additional Information:

Phase: 13

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 8093903, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: Wireless

output-status: up

output-line-status: up

Action: allow

Result of the command: "packet-tracer input wireless tcp 192.168.1.20 1025 10.1.1.15 80"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

match ip inside 10.1.1.0 255.255.255.0 Wireless any

static translation to 10.1.1.0

translate_hits = 25, untranslate_hits = 6443

Additional Information:

NAT divert to egress interface inside

Untranslate 10.1.1.0/0 to 10.1.1.0/0 using netmask 255.255.255.0

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Wireless_access_in in interface Wireless

access-list Wireless_access_in extended permit ip any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip Wireless 192.168.1.0 255.255.255.0 inside 10.1.1.0 255.255.255.0

NAT exempt

translate_hits = 1, untranslate_hits = 52

Additional Information:

Phase: 9

Type: NAT

Subtype:

Result: ALLOW

Config:

static (Wireless,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

match ip Wireless 192.168.1.0 255.255.255.0 inside any

static translation to 192.168.1.0

translate_hits = 0, untranslate_hits = 124

Additional Information:

Phase: 10

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (Wireless,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

match ip Wireless 192.168.1.0 255.255.255.0 inside any

static translation to 192.168.1.0

translate_hits = 0, untranslate_hits = 124

Additional Information:

Phase: 11

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

match ip inside 10.1.1.0 255.255.255.0 Wireless any

static translation to 10.1.1.0

translate_hits = 25, untranslate_hits = 6443

Additional Information:

Phase: 12

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

match ip inside 10.1.1.0 255.255.255.0 Wireless any

static translation to 10.1.1.0

translate_hits = 25, untranslate_hits = 6443

Additional Information:

Phase: 13

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 8093904, packet dispatched to next module

Result:

input-interface: Wireless

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Hello Oscar,

Everything looks good, packets being allowed, Natted as they should, ASA setup is the one required.

Time to move with the packet-captures

May I know 2 ip addresses on those subnets that you could use to test connectivity?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Sure 10.1.1.41 and the 192.168.1.15

Result of the command: "packet-tracer input inside tcp 10.1.1.41 1025 192.168.1.15 3389"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (Wireless,inside) Wireless Wireless netmask 255.255.255.0

match ip Wireless Wireless 255.255.255.0 inside any

static translation to Wireless

translate_hits = 0, untranslate_hits = 19

Additional Information:

NAT divert to egress interface Wireless

Untranslate Wireless/0 to Wireless/0 using netmask 255.255.255.0

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip object-group trusted any

object-group network trusted

network-object host 10.1.1.40

network-object host 10.1.1.41

network-object host 10.1.1.42

network-object host 10.1.1.43

network-object host 10.1.1.44

network-object host 10.1.1.45

network-object host 10.1.1.46

network-object host 10.1.1.47

network-object host 10.1.1.48

network-object host 10.1.1.49

network-object host Jake-PC

network-object host DonMiguel

network-object host Sean-Tv

network-object host Marti

network-object host Handpunch

network-object host Ricky

network-object host dnbst2202

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map inspection_default

match any

policy-map global_policy

class inspection_default

inspect ftp

service-policy global_policy global

Additional Information:

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip inside 10.1.1.0 255.255.255.0 Wireless Wireless 255.255.255.0

NAT exempt

translate_hits = 13, untranslate_hits = 0

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

match ip inside 10.1.1.0 255.255.255.0 Wireless any

static translation to 10.1.1.0

translate_hits = 37, untranslate_hits = 6443

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

match ip inside 10.1.1.0 255.255.255.0 Wireless any

static translation to 10.1.1.0

translate_hits = 37, untranslate_hits = 6443

Additional Information:

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (Wireless,inside) Wireless Wireless netmask 255.255.255.0

match ip Wireless Wireless 255.255.255.0 inside any

static translation to Wireless

translate_hits = 0, untranslate_hits = 19

Additional Information:

Phase: 11

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (Wireless,inside) Wireless Wireless netmask 255.255.255.0

match ip Wireless Wireless 255.255.255.0 inside any

static translation to Wireless

translate_hits = 0, untranslate_hits = 19

Additional Information:

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 8169729, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: Wireless

output-status: up

output-line-status: up

Action: allow

Result of the command: "packet-tracer input wireless tcp 192.168.1.15 1025 10.1.1.41 3389"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

match ip inside 10.1.1.0 255.255.255.0 Wireless any

static translation to 10.1.1.0

translate_hits = 37, untranslate_hits = 6444

Additional Information:

NAT divert to egress interface inside

Untranslate 10.1.1.0/0 to 10.1.1.0/0 using netmask 255.255.255.0

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Wireless_access_in in interface Wireless

access-list Wireless_access_in extended permit ip any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

static (Wireless,inside) Wireless Wireless netmask 255.255.255.0

match ip Wireless Wireless 255.255.255.0 inside any

static translation to Wireless

translate_hits = 1, untranslate_hits = 19

Additional Information:

Static translate Wireless/0 to Wireless/0 using netmask 255.255.255.0

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (Wireless,inside) Wireless Wireless netmask 255.255.255.0

match ip Wireless Wireless 255.255.255.0 inside any

static translation to Wireless

translate_hits = 1, untranslate_hits = 19

Additional Information:

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

match ip inside 10.1.1.0 255.255.255.0 Wireless any

static translation to 10.1.1.0

translate_hits = 37, untranslate_hits = 6444

Additional Information:

Phase: 11

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

match ip inside 10.1.1.0 255.255.255.0 Wireless any

static translation to 10.1.1.0

translate_hits = 37, untranslate_hits = 6444

Additional Information:

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 8169730, packet dispatched to next module

Result:

input-interface: Wireless

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Hello Oscar,

Great, lets move forward with the captures

cap capin interface inside match ip host 10.1.1.41 host 192.168.1.15

cap dmz interface dmz match ip host 10.1.1.41 host 192.168.1.15

Then innitiate a connection ( whatever protocol telnet,icmp,http) but just once

Then provide the following info

show cap capin

show cap dmz

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking products for a $25 gift card