Solved: ASA communication between subinterfaces

Kool1sttt · ‎11-09-2015

Hi everyone

I've some question about asa5555, it can't communicate between subinterfaces (vlan 501(iLo) and 503(OOB)). I've config nat(OOB,iLo) static any any already but it doesn't work. Please guide me, show running config are below

PPCIASA801# sh run
: Saved
:
: Serial Number: FCH19277H57
: Hardware:   ASA5555, 16384 MB RAM, CPU Lynnfield 2792 MHz, 1 CPU (8 cores)
:
ASA Version 9.2(2)4
!
hostname PPCIASA801
enable password uetIHtSiMvqRuhlL encrypted
names
ip local pool VPN_Pool 10.206.38.1-10.206.38.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif LAN-Office
security-level 100
ip address 10.5.4.38 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
nameif WAN-CDN
security-level 100
ip address 10.5.97.81 255.255.255.248 standby 10.5.97.82
!
interface GigabitEthernet0/5
nameif Telecom-OAM
security-level 100
ip address 10.216.200.38 255.255.255.248 standby 10.216.200.37
!
interface GigabitEthernet0/6
nameif BE
security-level 100
ip address 10.206.33.254 255.255.255.0 standby 10.206.33.253
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no nameif
no security-level
no ip address
!
interface Port-channel1
lacp max-bundle 8
no nameif
no security-level
no ip address
!
interface Port-channel1.501
vlan 501
nameif iLo
security-level 100
ip address 10.206.36.1 255.255.255.224
!
interface Port-channel1.502
vlan 502
nameif iSCSI
security-level 100
ip address 10.206.36.33 255.255.255.224
!
interface Port-channel1.503
vlan 503
nameif OOB
security-level 100
ip address 10.206.36.65 255.255.255.192
!
interface Port-channel1.505
vlan 505
nameif CDN-OOB
security-level 100
ip address 10.206.36.129 255.255.255.224 standby 10.206.36.130
!
boot system disk0:/asa922-4-smp-k8.bin
ftp mode passive
clock timezone BKK 7
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.206.37.0_24
subnet 10.206.37.0 255.255.255.0
object network PPCIMGSTRESW801
host 10.206.36.126
object network NTP
host 10.15.248.1
object service NTPport
service udp source eq ntp destination eq ntp
object network LAN
host 10.5.4.36
object network Nigios
host 10.217.242.98
object network Alarm
host 10.216.200.36
object network SSL-VPN
subnet 10.217.0.0 255.255.0.0
object network NETWORK_OBJ_10.206.36.64_26
subnet 10.206.36.64 255.255.255.192
object network Active
host 10.235.4.180
object network Backup
host 10.235.6.180
object network OOB-network
subnet 10.206.36.64 255.255.255.192
object network iLo-network
subnet 10.206.36.0 255.255.255.224
object network Nat-Cas
host 10.206.36.61
object network CAS
host 10.206.36.126
object-group network CAS-Terminal
network-object host 10.217.200.134
network-object host 10.235.4.180
network-object host 10.235.6.180
object-group network PCI-DSS
network-object object OOB-network
network-object object iLo-network
access-list iSCSI_access_in extended permit ip any any
access-list global_access extended permit ip any any
access-list OOB_access_in extended permit ip any any
access-list LAN-Office_access_in extended permit ip any any
access-list iLo_access_in extended permit ip any any
access-list inside standard permit 10.206.36.0 255.255.255.224
access-list inside standard permit 10.206.36.32 255.255.255.224
access-list inside standard permit 10.5.4.32 255.255.255.248
access-list inside standard permit 10.206.36.64 255.255.255.192
access-list inside standard permit 10.206.36.128 255.255.255.224
access-list inside standard permit 10.206.37.0 255.255.255.0
access-list Telecom-OAM_access_in extended permit ip any any
access-list Telecom-OAM_cryptomap extended permit ip object-group PCI-DSS object-group CAS-Terminal
access-list CDN-OOB_access_in extended permit ip any any
access-list WAN-CDN_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu LAN-Office 1500
mtu iLo 1500
mtu iSCSI 1500
mtu OOB 1500
mtu WAN-CDN 1500
mtu BE 1500
mtu Telecom-OAM 1500
mtu CDN-OOB 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any LAN-Office
icmp permit any iLo
icmp permit any iSCSI
icmp permit any OOB
icmp permit any WAN-CDN
icmp permit any BE
icmp permit any Telecom-OAM
icmp permit any CDN-OOB
asdm image disk0:/asdm-751.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Telecom-OAM,OOB) source static any any no-proxy-arp
nat (OOB,Telecom-OAM) source static any any no-proxy-arp
nat (Telecom-OAM,iLo) source static any any no-proxy-arp
nat (iLo,Telecom-OAM) source static any any no-proxy-arp
nat (OOB,CDN-OOB) source static any any no-proxy-arp
nat (CDN-OOB,OOB) source static any any no-proxy-arp
nat (WAN-CDN,CDN-OOB) source static any any no-proxy-arp
nat (CDN-OOB,WAN-CDN) source static any any no-proxy-arp
nat (OOB,iLo) source static any any no-proxy-arp
nat (iLo,OOB) source static any any no-proxy-arp
access-group LAN-Office_access_in in interface LAN-Office
access-group iLo_access_in in interface iLo
access-group iSCSI_access_in in interface iSCSI
access-group OOB_access_in in interface OOB
access-group WAN-CDN_access_in in interface WAN-CDN
access-group Telecom-OAM_access_in in interface Telecom-OAM
access-group CDN-OOB_access_in in interface CDN-OOB
access-group global_access global
route LAN-Office 0.0.0.0 0.0.0.0 10.5.4.33 1
route WAN-CDN 10.5.0.0 255.255.0.0 10.5.97.86 1
route Telecom-OAM 10.217.0.0 255.255.0.0 10.216.200.33 1
route Telecom-OAM 10.235.4.0 255.255.255.0 10.216.200.33 1
route BE 10.251.53.25 255.255.255.255 10.206.33.1 1
route BE 10.251.54.25 255.255.255.255 10.206.33.1 1
route LAN-Office 172.0.0.0 255.0.0.0 10.5.4.33 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACS-RSA-AD protocol radius
aaa-server ACS-RSA-AD (BE) host 10.251.54.25
authentication-port 1812
accounting-port 1813
aaa-server ACS-RSA-AD (BE) host 10.251.53.25
authentication-port 1812
accounting-port 1813
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 LAN-Office
http 0.0.0.0 0.0.0.0 OOB
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map LAN-Office_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map LAN-Office_map interface LAN-Office
crypto map Telecom-OAM_map 1 match address Telecom-OAM_cryptomap
crypto map Telecom-OAM_map 1 set peer 10.217.200.14
crypto map Telecom-OAM_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map Telecom-OAM_map interface Telecom-OAM
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=PPCIASA801
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate c326d155
    3082023c 308201a5 a0030201 020204c3 26d15530 0d06092a 864886f7 0d010105
    05003030 31133011 06035504 03130a50 50434941 53413830 31311930 1706092a
    864886f7 0d010902 160a5050 43494153 41383031 301e170d 31353038 31373031
    30353234 5a170d32 35303831 34303130 3532345a 30303113 30110603 55040313
    0a505043 49415341 38303131 19301706 092a8648 86f70d01 0902160a 50504349
    41534138 30313081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902
    818100c4 cd22e294 d5b6cf4a e3a322f9 e3dd5b12 1075542b e4efc9a7 d2af972e
    45dc0eb5 ffecc0ff 6d7fdde4 5816b750 8d696ef7 1d3286fb 7c222e0d 32a037f7
    f20ca92d 145ce815 78f35c3c d6b10478 e95fc236 7f1e6bb7 21049ff1 a8a40c19
    a2b035fc 3cf3f877 5adf5baf dad05351 33981687 f11fc129 e8221ca3 309ce78a
    026d9902 03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06
    03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 80149c84 a44dd0c6
    21d002fa ec6e5e76 1e2adb33 77a5301d 0603551d 0e041604 149c84a4 4dd0c621
    d002faec 6e5e761e 2adb3377 a5300d06 092a8648 86f70d01 01050500 03818100
    7d4e271a afa5f593 92df2f6b eff02a6f 8f8f0fd0 e2626495 4aa4612a 6fe7a906
    9fb7ddad 0be1ba34 3bde93d3 b354b886 62b3f174 bcc7636b 6ba7aa48 dcae38c1
    ffee264e 17149f90 5de304e8 f2d75aaa a50f06c4 6cab1792 b7d39a6f aa0e637b
    f3df482c 2f5023b7 ed43ea21 e5d8f399 96659051 cc8c3d48 8347d631 3eced959
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable LAN-Office client-services port 443
crypto ikev2 enable Telecom-OAM
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable LAN-Office
crypto ikev1 enable Telecom-OAM
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 LAN-Office
telnet 0.0.0.0 0.0.0.0 OOB
telnet timeout 30
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 LAN-Office
ssh 0.0.0.0 0.0.0.0 OOB
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign dhcp
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.15.248.1 source LAN-Office
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint0 LAN-Office
webvpn
enable LAN-Office
anyconnect image disk0:/anyconnect-win-4.1.04011-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 3
anyconnect profiles LANOFFICE_client_profile disk0:/LANOFFICE_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_LANOFFICE internal
group-policy GroupPolicy_LANOFFICE attributes
wins-server none
dns-server none
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
password-storage enable
ip-comp enable
pfs enable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside
default-domain none
client-bypass-protocol enable
webvpn
anyconnect profiles value LANOFFICE_client_profile type user
anyconnect ssl df-bit-ignore enable
group-policy GroupPolicy_10.217.200.14 internal
group-policy GroupPolicy_10.217.200.14 attributes
vpn-tunnel-protocol ikev1
username pareeya password F7dtVus2GTHMhm0A encrypted privilege 15
username passakj7 password 39Kg5YajS30zqIK5 encrypted privilege 15
username pareeyp7 password MV45Bqo4DOiP92mZ encrypted privilege 15
username wutthiks password jCCPsXUkl86IYeV8 encrypted privilege 15
username sarunyak password R90pUvmo4lMQoGm6 encrypted privilege 15
username sarawuti password odS/BHaPrbnEUcY9 encrypted privilege 15
username barasupport2 password vVgx5fGsrKNi19hk encrypted privilege 15
username barasupport1 password vVgx5fGsrKNi19hk encrypted privilege 15
username arnondhc password GtkSN5kul7YoM1Ru encrypted privilege 15
username jiraponl password levnSq4nvIHDrJve encrypted privilege 15
username aekkana7 password AEHowVhDc2vmdPWu encrypted privilege 15
username atasitn7 password aw.sjzkwsqAgMGVE encrypted privilege 15
username tanatatp password bTy2rIo7kWwpgKgM encrypted privilege 15
username surachta password QdjcnY299cJF1mYB encrypted privilege 15
username sutinunp password QOGC/a1o2G6hhRz0 encrypted privilege 15
username sujitrl7 password yQ5quuq2LMKJemve encrypted privilege 15
username vasarucr password ECSEkjTxOu8KXooU encrypted privilege 15
username phatths7 password ywSj/mOFJGNNqD9H encrypted privilege 15
username harutais password 3765CYz1zxqeOBHr encrypted privilege 15
username kanoktiy password VjXymcmvHAhXxiyW encrypted privilege 15
username mfec5 password WmXaFl9dLue2Yc2d encrypted privilege 15
username mfec4 password WmXaFl9dLue2Yc2d encrypted privilege 15
username nuttakou password XpHrpeeEcZUcyL/m encrypted privilege 15
username mfec1 password WmXaFl9dLue2Yc2d encrypted privilege 15
username chaio114 password O7IVmcp3aIxOsL9v encrypted privilege 15
username mfec password WmXaFl9dLue2Yc2d encrypted privilege 15
username mfec3 password WmXaFl9dLue2Yc2d encrypted privilege 15
username mfec2 password WmXaFl9dLue2Yc2d encrypted privilege 15
username thitiso7 password lX3P1WyfKv9PoFsB encrypted privilege 15
username jumpb114 password cvTEONQEhr.yp.1v encrypted privilege 15
tunnel-group LANOFFICE type remote-access
tunnel-group LANOFFICE general-attributes
address-pool (LAN-Office) VPN_Pool
address-pool VPN_Pool
authentication-server-group (LAN-Office) LOCAL
authorization-server-group LOCAL
authorization-server-group (LAN-Office) LOCAL
default-group-policy GroupPolicy_LANOFFICE
tunnel-group LANOFFICE webvpn-attributes
group-alias LANOFFICE enable
group-alias PPCIASA801 disable
tunnel-group LANOFFICE ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group 10.217.200.14 type ipsec-l2l
tunnel-group 10.217.200.14 general-attributes
default-group-policy GroupPolicy_10.217.200.14
tunnel-group 10.217.200.14 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
!
jumbo-frame reservation
!
no call-home reporting anonymous
Cryptochecksum:893204b323e3bbf728f506730cc1ffc7
: end
PPCIASA801#
PPCIASA801#
PPCIASA801#

Akshay Rastogi · ‎11-09-2015

Hi there,

Please check if vlan 501 and vlan 503 is allowed on trunk ports connected to switch(ports which are part of port channel. They should be trunk on switch).

Also please try below packet tracer :

packet-tracer input Li tcp <li side ip> 12345 <oob side ip> 12345 det

packet tracer input oob tcp <<oob side ip> 23451 <li side ip> 23453 det

Check if traffic is allowed in these packet-tracer. If not then check the reason why its drop and troubleshoot. If it doesn't work, please share the output here.

Hope it helps.

Regards,

Akshay Rastogi

View solution in original post

Akshay Rastogi · ‎11-09-2015