07-15-2014 05:49 AM - edited 03-11-2019 09:28 PM
Hello everyone,
We have a Cisco ASA 5520 firewall with several interfaces configured for our internal networks, with the same Security-Level = 100 set for all, configured enable traffic between two or more internal interface - still not working.
We have ASA version 9.0(3)
Not sure what's stopping this traffic or what's required to allow all internal networks to communicate together.
Thank you
Solved! Go to Solution.
07-15-2014 09:07 AM
Hi,
If you want to use the ASA to control traffic between all the networks then you should not really configure any routing on the 3750. You should simply configure the amount of Vlans you need on the 3750.
At the moment it seems to me that you are using separate physical interface on the ASA for each of the Vlans ( I presume each ASA interface is connected to an Access port on the 3750 belonging to the specific Vlan). Typically though you would configure a Trunk interface between the ASA and 3750 so you dont have to spend all the physical interfaces on the ASA. You dont necesarily have to use only 1 Trunk interface. You can separate the Vlans to several Trunk interfaces. Then again you could also configure a Port-Channel between the 3750 and Trunk the Vlans to the ASA through that.
At this point I would imagine the simples way for you to go that doesnt require that many changes would be to configure every single host to use the ASA interface IP address (for the Vlan in question) as their gateway. You can also remove the IP address from most of the Vlan interfaces. If you need one for Management purposes then I guess you could leave the Vlan172 with an IP address so you can connect to the 3750 remotely if needed.
If you want to use DHCP then you can either use the ASA as DHCP server for each of the interfaces or you can setup some DHCP server on some Vlan and configure the ASA with DHCP Relay on the interfaces so they relay the DHCP traffic to a server behind another ASA interface.
- Jouni
07-15-2014 06:01 AM
Hi,
Can you share any configurations?
Are you sure you have the following command enabled? I think you are saying that you do but just want to make sure as there is 2 similiar commands
same-security-traffic permit inter-interface
If that is enabled then have you confirmed that there are no ACLs attached that could potentially block the traffic?
show run access-group
If no ACLs block the traffic from behind the internal interfaces of the ASA then have you made sure that the network devices connected to the ASA are configured correctly so that the traffic is actually forwarded to the ASA? Is there any other device besides the ASA that could block the connections that you are trying?
Have you configured the appropriate routing configurations for the source/destination networks or are they directly connected to the ASA? Have you checked the output of the following commands to confirm that the routes are there
show run route
show route
Have you tried the "packet-tracer" command to simulate the connections? For example
packet-tracer input <source interface> tcp <source ip> 12345 <destination ip> <destination port>
With regards to NAT and your current software levels you should not need any NAT configurations for traffic between these networks behind different interfaces of the ASA. This was different in the older softwares.
Maybe checking the above things should get us some information what the problem is. Naturally to confirm the situation with the ASA the "packet-tracer" result and the actual ASA configuration would be the best things to solve the problem.
Hope this helps :)
- Jouni
07-15-2014 06:48 AM
Hi Jouni, hope all is well
The config file listed below
ASA Version 9.0(3)
!
hostname PCSI-5520ASA-DR
domain-name PCSASA.org
enable password encrypted
passwd encrypted
names
!
interface GigabitEthernet0/0
description <**TW_ISP_WAN_INT**>
nameif outside
security-level 0
ip address 98.101.206.254 255.255.255.0
!
interface GigabitEthernet0/1
description CSI_VLAN101_NETWORK
nameif VLAN101
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface GigabitEthernet0/2
description CSI_VLAN102_NETWORK
nameif VLAN102
security-level 100
ip address 10.10.2.1 255.255.255.0
!
interface GigabitEthernet0/3
description CSI_VLAN104_NETWORK
nameif VLAN104
security-level 100
ip address 10.10.4.1 255.255.255.0
!
interface Management0/0
description <**IT_MGMT_Network**>
nameif VLAN172
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1/0
description CSI_VLAN106_NETWORK
nameif VLAN106
security-level 100
ip address 10.10.6.1 255.255.255.0
!
interface GigabitEthernet1/1
description CSI_VLAN107_NETWORK
nameif VLAN107
security-level 100
ip address 10.10.7.1 255.255.255.0
!
interface GigabitEthernet1/2
description CSI_VLAN108_NETWORK
nameif VLAN108
security-level 100
ip address 10.10.8.1 255.255.255.0
!
interface GigabitEthernet1/3
description CSI_VLAN109_NETWORK
nameif VLAN109
security-level 100
ip address 10.10.9.1 255.255.255.0
!
boot system disk0:/asa903-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup VLAN172
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.1
domain-name PCSASA.org
same-security-traffic permit inter-interface
object network OBJ_ANY
subnet 0.0.0.0 0.0.0.0
description NAT_Internet_Access_7_10_14
object network my_laptop
host 172.16.1.189
description My laptop 7_10_14
object network MY_LAPTOP
host 172.16.1.189
object service RDP3389
service tcp destination eq 3389
description RDP access
object-group network IT_MGMT_Network
description IT_Management_Network
network-object object my_laptop
access-list outside_access_in remark test access 7-10-14
access-list outside_access_in extended permit object RDP3389 any object my_laptop
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu VLAN172 1500
mtu VLAN101 1500
mtu VLAN102 1500
mtu VLAN104 1500
mtu VLAN106 1500
mtu VLAN107 1500
mtu VLAN108 1500
mtu VLAN109 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network OBJ_ANY
nat (any,outside) dynamic interface
object network MY_LAPTOP
nat (VLAN172,any) static 98.101.206.253
!
nat (VLAN172,outside) after-auto source dynamic any interface description PAT_NAT_INTERNET_ACCESS_7_10_14
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 98.101.206.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http server idle-timeout 480
http server session-timeout 480
http VLAN172
http outside
http outside
http outside
http outside
http outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet VLAN172
telnet timeout 60
ssh outside
ssh outside
ssh outside
ssh outside
ssh outside
ssh VLAN172
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 208.87.104.40 source outside
ntp server 64.113.32.9 source outside
ntp server 50.22.155.163 source outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3c350ef9cbd162df64ce65c252786fd7
: end
We have only one Cisco 3750 switch, connecting all the clients to, routing everything to the 5520 ASA for internet access
Thanks
07-15-2014 07:10 AM
Hi,
Judging from your ASA configuration the C3750 is not doing any routing as there is no static "route" configurations on the ASA pointing towards any of the interface other than the WAN interface of the ASA.
Is the ASA set as the default gateway for each networks hosts or is there some Vlan interface for each Vlan configured on the 3750 which is acting as the default gateway?
At this point it would seem to me that the problem is possibly in the C3750 configurations. Your ASA configuration seems to suggest that there should only be a switched network behind it (as there is no routes pointing towards LAN). Yet you say that the 3750 is routing everything to the ASA?
I guess you should check the 3750 configurations or share some configurations.
- Jouni
07-15-2014 07:45 AM
Jouni,
The 3750 switch is directly connected for all internal networks - can ping each subnet from either device, do we need routing setup on both the ASA /3750 switch?
on the 3750 we have ip route 0.0.0.0 0.0.0.0 to the ASA 172.16.1.1 management interface
07-15-2014 07:53 AM
Hi,
But is the 3750 acting as the gateway for the LAN networks or do the computers use the ASAs interface IP address as the gateway? How are the 3750 interfaces connected to the ASA configured?
If your 3750 is the gateway for all the LAN networks then the above mentioned default route configurations on the 3750 means that ALL traffic out from the LAN networks will be forwarded through the ASA interface that holds the IP address 172.16.1.1
Though then again if all of the Vlans were using the 3750 as their default gateway then the traffic should flow just fine between the LAN networks.
I would really need to see the 3750 configurations or possibly atleast the routing table of the 3750 to see how its set up.
- Jouni
07-15-2014 08:13 AM
The 3750 stack - routing information
PCS_LAB_SW1(config)#do sh run | b ip route
ip route 0.0.0.0 0.0.0.0 172.16.1.1
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Vlan172
10.0.0.0/24 is subnetted, 7 subnets
C 10.10.1.0 is directly connected, Vlan101
C 10.10.2.0 is directly connected, Vlan102
C 10.10.4.0 is directly connected, Vlan104
C 10.10.6.0 is directly connected, Vlan106
C 10.10.7.0 is directly connected, Vlan107
C 10.10.8.0 is directly connected, Vlan108
C 10.10.9.0 is directly connected, Vlan109
S* 0.0.0.0/0 [1/0] via 172.16.1.1
07-15-2014 08:32 AM
Hi,
I would still need to know when the hosts get an IP address from any of the above LAN networks what is the gateway IP address they get/use? Is the Vlan interface IP address on the 3750 or the ASA interface IP address?
- Jouni
07-15-2014 08:37 AM
My bad - sorry about that
All servers /clients will use static addressing
The only way I can make this work is assign the default gateway to the ASA for all servers /clients.
When I use the 3750 stack as their default gateway they have no internet access, they can't access any other subnet.
I'm sure we missed something on the 3750 stack or the 5520 ASA
07-15-2014 09:07 AM
Hi,
If you want to use the ASA to control traffic between all the networks then you should not really configure any routing on the 3750. You should simply configure the amount of Vlans you need on the 3750.
At the moment it seems to me that you are using separate physical interface on the ASA for each of the Vlans ( I presume each ASA interface is connected to an Access port on the 3750 belonging to the specific Vlan). Typically though you would configure a Trunk interface between the ASA and 3750 so you dont have to spend all the physical interfaces on the ASA. You dont necesarily have to use only 1 Trunk interface. You can separate the Vlans to several Trunk interfaces. Then again you could also configure a Port-Channel between the 3750 and Trunk the Vlans to the ASA through that.
At this point I would imagine the simples way for you to go that doesnt require that many changes would be to configure every single host to use the ASA interface IP address (for the Vlan in question) as their gateway. You can also remove the IP address from most of the Vlan interfaces. If you need one for Management purposes then I guess you could leave the Vlan172 with an IP address so you can connect to the 3750 remotely if needed.
If you want to use DHCP then you can either use the ASA as DHCP server for each of the interfaces or you can setup some DHCP server on some Vlan and configure the ASA with DHCP Relay on the interfaces so they relay the DHCP traffic to a server behind another ASA interface.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide