06-01-2021 11:21 AM
Hello All,
My main interface on my ASA can reach the internet and load web pages of my servers on my server vlan and CCTV vlan.
But the CCTV and Server VLAN can not reach the outside network, additionally my servers cant ping back to the main network.
Config Posted as Spoiler Below
: Saved : : Serial Number: SANITIZED : Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores) : ASA Version 9.9(2) ! hostname ciscoasa enable password ! interface GigabitEthernet0/0 nameif OUTSIDE security-level 0 ip address dhcp ! interface GigabitEthernet0/1 nameif INSIDE security-level 100 ip address 10.0.0.1 255.255.254.0 ! interface GigabitEthernet0/1.70 vlan 70 nameif CCTV security-level 100 ip address 10.0.7.1 255.255.255.0 ! interface GigabitEthernet0/1.100 vlan 100 nameif Servers security-level 100 ip address 10.0.10.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup OUTSIDE dns domain-lookup INSIDE dns domain-lookup Servers dns server-group DefaultDNS name-server 1.1.1.1 OUTSIDE same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network OBJ_GENERIC_ALL subnet 0.0.0.0 0.0.0.0 object network obj_any subnet 0.0.0.0 0.0.0.0 object network VLAN100 subnet 10.0.10.0 255.255.255.0 description ServerFarm object network VLAN70 subnet 10.0.7.0 255.255.255.0 description CCTV object network Meraki3 subnet 209.206.49.0 255.255.255.224 object network 4Meraki3 subnet 209.206.51.0 255.255.255.224 object network test object network Test subnet 10.0.10.0 255.255.255.0 object-group service allow_internet_tcp tcp description allow tcp ports for allowing access internet access port-object eq www port-object eq https object-group service allow_internet_udp udp description allow udp ports for allowing access internet access port-object eq dnsix object-group network Meraki network-object host 209.206.52.203 network-object host 8.8.8.8 network-object object 4Meraki3 network-object object Meraki3 object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object icmp protocol-object udp object-group protocol DM_INLINE_PROTOCOL_2 protocol-object ip protocol-object icmp protocol-object udp object-group protocol DM_INLINE_PROTOCOL_3 protocol-object ip protocol-object icmp protocol-object udp object-group protocol DM_INLINE_PROTOCOL_4 protocol-object ip protocol-object icmp protocol-object udp object-group service DM_INLINE_SERVICE_1 service-object ip service-object icmp service-object tcp-udp destination eq www object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp service-object tcp-udp destination eq www service-object tcp destination eq echo object-group service DM_INLINE_SERVICE_3 service-object icmp service-object tcp-udp destination eq www service-object tcp destination eq https service-object ip service-object tcp-udp destination eq domain service-object tcp destination eq echo object-group service DM_INLINE_SERVICE_4 service-object ip service-object icmp service-object tcp-udp destination eq www service-object tcp destination eq https service-object tcp-udp destination eq domain service-object tcp destination eq echo object-group service DM_INLINE_SERVICE_5 service-object ip service-object tcp-udp destination eq domain service-object tcp-udp destination eq www service-object tcp destination eq https service-object tcp-udp destination eq echo access-list out2in extended permit tcp any any access-list out2in extended permit ip any any access-list INSIDE_access_in_1 extended permit ip any any access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_3 object-group Meraki any access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any object-group Meraki access-list INSIDE_access_in_1 extended permit icmp any any access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 10.0.7.0 255.255.255.0 any access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_4 10.0.10.0 255.255.255.0 any access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_4 object-group Meraki any access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_2 any object-group Meraki access-list OUTSIDE_access_in_1 extended permit icmp any any access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_5 10.0.10.0 255.255.255.0 any access-list CCTV_access_in extended permit object-group DM_INLINE_SERVICE_1 any 10.0.7.0 255.255.255.0 access-list Servers_access_in extended permit object-group DM_INLINE_SERVICE_3 10.0.0.0 255.255.254.0 any access-list Servers_access_in extended permit tcp any 10.0.10.0 255.255.255.0 eq domain pager lines 24 logging enable logging asdm informational mtu OUTSIDE 1500 mtu INSIDE 1500 mtu CCTV 1500 mtu Servers 1500 mtu management 1500 no failover no monitor-interface CCTV no monitor-interface Servers no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 8192 nat (INSIDE,OUTSIDE) source dynamic OBJ_GENERIC_ALL interface ! object network obj_any nat (INSIDE,OUTSIDE) dynamic interface ! nat (INSIDE,OUTSIDE) after-auto source dynamic any interface access-group OUTSIDE_access_in_1 in interface OUTSIDE access-group INSIDE_access_in_1 in interface INSIDE access-group CCTV_access_in in interface CCTV access-group Servers_access_in in interface Servers ! route-map A permit 1 match interface INSIDE ! route OUTSIDE 0.0.0.0 0.0.0.0 SANITIZE 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication login-history http server enable http 192.168.1.0 255.255.255.0 management http 10.0.0.0 255.255.255.0 INSIDE no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA -- SANITIZED REMOVED CERTS -- telnet timeout 5 ssh stricthostkeycheck ssh 10.0.0.0 255.255.255.0 INSIDE ssh 192.168.1.0 255.255.255.0 management ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 10.0.0.11-10.0.0.254 INSIDE dhcpd dns 1.1.1.1 interface INSIDE dhcpd enable INSIDE ! dhcpd address 192.168.1.2-192.168.1.254 management ! dhcprelay timeout 60 dhcprelay information trust-all threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 dynamic-filter updater-client enable dynamic-filter use-database dynamic-filter enable webvpn anyconnect-essentials cache disable error-recovery disable dynamic-access-policy-record DfltAccessPolicy username SANITIZED class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context call-home reporting anonymous hpm topN enable Cryptochecksum:SANITIZED : end
Solved! Go to Solution.
06-01-2021 07:02 PM
You appear to have built your access-lists with a misunderstanding of how the ASA stateful firewall works. By default, traffic from higher security (e.g., the "100 level" assigned to all but the outside interface) to lower security (e.g., the "0" level assigned to outside) is allowed, as is the return traffic in those flows - without applying any access-list using the access-group command.
We generally use access-lists to restrict what can initiate traffic to a given resource. So, if you want your CCTV and Servers networks to be able to talk to anything ("initiate") then you don't need any access-list on those respective interfaces. Your OUTSIDE_access_in_1 ACL also has this error. An ACL like that, applied to the outside interface, is generally used to expose certain internal host or networks to communications initiated from the outside.
Your objects DM_INLINE_SERVICE_4 and _5 include all ip and icmp traffic (among others), making it essentially a "permit any any " sort of rule.
06-01-2021 11:35 AM - edited 06-01-2021 11:37 AM
You have:
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
...covering traffic from the INSIDE interface but no corresponding NAT rules for your CCTV and Servers interfaces.
Also, the access-lists applied to the CCTV and Servers interfaces have an implicit deny in each that will prevent them from reaching anything other than what's explicitly allowed in their current respective access-lists.
06-01-2021 11:44 AM
so for the NAT i would run
nat (CCTV,OUTSIDE) after-auto source dynamic any interface
nat (Server,OUTSIDE) after-auto source dynamic any interface
06-01-2021 11:56 AM
Correct. And also allow the traffic in your two ACLs
access-list CCTV_access_in access-list Servers_access_in
Even with the NAT rules in place, those ACLs will deny the traffic.
06-01-2021 12:39 PM
I'm having some issues with the ACLs are you able to assist?
06-01-2021 07:02 PM
You appear to have built your access-lists with a misunderstanding of how the ASA stateful firewall works. By default, traffic from higher security (e.g., the "100 level" assigned to all but the outside interface) to lower security (e.g., the "0" level assigned to outside) is allowed, as is the return traffic in those flows - without applying any access-list using the access-group command.
We generally use access-lists to restrict what can initiate traffic to a given resource. So, if you want your CCTV and Servers networks to be able to talk to anything ("initiate") then you don't need any access-list on those respective interfaces. Your OUTSIDE_access_in_1 ACL also has this error. An ACL like that, applied to the outside interface, is generally used to expose certain internal host or networks to communications initiated from the outside.
Your objects DM_INLINE_SERVICE_4 and _5 include all ip and icmp traffic (among others), making it essentially a "permit any any " sort of rule.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide