Solved: Re: ASA intra-interface communication

stephilewis · ‎08-12-2010

I have three interfaces configured, outside, inside and dhcp. The IP for the inside is 10.10.220.101 and dhcp is 10.10.230.1, with same−security−traffic permit intra−interface configured but still not able to communicate between interfaces. The error I receive from packet-tracer is (acl-drop) flow is denied by configured rule.

Nagaraja Thanthry · ‎08-13-2010

Hello,

You are missing NAT statements between inside and LANDHP. Please configure

identity NAT between the interfaces:

static (inside,LANDHCP) 10.10.220.0 10.10.220.0 netmask 255.255.255.0

static (LANDHCP,inside) 10.10.230.0 10.10.230.0 netmask 255.255.255.0

This should allow communication between the inside and LANDHCP interfaces.

Hope this helps.

Regards,

NT

View solution in original post

Collin Clark · ‎08-12-2010

The flow drop usually means a NAT is missing. You need NAT when you go from a lower security interface to a higher one. The same−security−traffic permit intra−interface command is used when two interfaces have the same security level. Here's a helpful link.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml#Same

Hope it helps

stephilewis · ‎08-12-2010

both interfaces have security level 100

Collin Clark · ‎08-12-2010

What do your logs say?

Jitendriya Athavale · ‎08-12-2010

you will need same-security-traffic permit inter-interface

intra interface is used when the traffic is entering and exiting from the same interface

here you have 2 different interfaces so you will need inter interface which mean traffic between same security level but on different interfaces

also what code are you running and lastly paste the output of packet tracer if it still doesnt work

stephilewis · ‎08-12-2010

Yes you are correct I did change from intra to inter, using 7.2.

stephilewis · ‎08-12-2010

edge# packet-tracer input inside icmp 10.10.220.101 8 0 10.10.230.101 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x37f0288, priority=1, domain=permit, deny=false

hits=2085041387, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.10.230.101 255.255.255.255 identity

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x3802b20, priority=500, domain=permit, deny=true

hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.10.220.101, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Collin Clark · ‎08-12-2010

Can you post the ACL and the access group?

stephilewis · ‎08-12-2010

heres my running

edge(config-if)# show run

: Saved

:

ASA Version 7.2(3)

!

hostname edge

domain-name xxxxxx

enable password sh3Lt8bNBi5BmLfG encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.220.101 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.240

ospf cost 10

!

interface Vlan4

nameif LANDHCP

security-level 100

ip address 10.10.230.1 255.255.255.0

!

interface Vlan22

description LAN Failover Interface

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 4

!

interface Ethernet0/6

switchport access vlan 3

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name benetech.org

same-security-traffic permit inter-interface

access-list outside_access_in extended permit tcp any host xx.xx.xx.xx

access-list outside_access_in extended permit gre any any

access-list outside_access_in extended permit tcp any interface outside eq smtp log debugging

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq pptp log warnings

access-list outside_access_in extended permit tcp any interface outside eq 99

access-list outside_access_in extended permit tcp any interface outside eq 722 log

access-list outside_access_in extended permit tcp any interface outside eq 822 log

access-list outside_access_in extended permit tcp any interface outside eq 922 log

access-list outside_access_in extended permit tcp any interface outside eq www inactive

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit tcp any interface outside eq ftp-data

access-list outside_access_in extended permit tcp any interface outside eq 622

access-list outside_access_in extended permit icmp any interface outside

access-list LAN_access_in extended permit ip any any

access-list inside_access_out extended deny tcp 10.10.220.128 255.255.255.128 any eq smtp log warnings

access-list inside_access_out extended deny udp any eq 4000 any log warnings

access-list inside_access_out extended permit ip any any

access-list WLAN extended permit ip any any

access-list WLAN_access_in extended permit ip any any

access-list WLAN_access_in extended permit udp any any

pager lines 24

logging enable

logging emblem

logging asdm-buffer-size 512

logging buffered informational

logging trap informational

logging asdm informational

logging mail informational

logging from-address asa5505@xxxx

logging recipient-address xxxx level errors

logging host inside 10.10.220.69 17/1470 format emblem

logging permit-hostdown

mtu inside 1500

mtu outside 1500

mtu LANDHCP 1500

no failover

failover lan unit primary

failover lan interface BFailover Vlan22

failover key *****

failover interface ip BFailover 172.1.1.1 255.255.255.0 standby 172.1.1.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 822 10.10.220.21 822 netmask 255.255.255.255

static (inside,outside) tcp interface 722 10.10.220.18 722 netmask 255.255.255.255

static (inside,outside) tcp interface 922 10.10.220.29 922 netmask 255.255.255.255

static (inside,outside) tcp interface www 10.10.220.19 www netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.xx ftp-data 10.10.220.67 ftp-data netmask 255.255.255.255

static (inside,outside) tcp interface ftp 10.10.220.67 ftp netmask 255.255.255.255

static (inside,outside) tcp interface 622 10.10.220.21 622 netmask 255.255.255.255

static (inside,outside) tcp interface 99 10.10.220.24 99 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.xx 10.10.220.4 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.xx 10.10.220.23 netmask 255.255.255.255

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.10.220.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ca trustpoint newbroot

crl configure

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns 10.10.220.23

dhcpd domain benetech.local

dhcpd auto_config outside

dhcpd option 3 ip 172.16.30.100

!

class-map inspection_default

match default-inspection-traffic

class-map pptp-port

match port tcp eq pptp

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect dns benetech_dns_map

description Remove 512 byte size restriction

parameters

message-length maximum 1024

no protocol-enforcement

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

policy-map pptp_policy

class pptp-port

inspect pptp

!

service-policy global_policy global

service-policy pptp_policy interface outside

ntp server xx.xx.xx.xx source outside

tftp-server inside 10.10.220.69 asa-5505-primary.conf

webvpn

csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg

csd enable

username scott password rj0sFMSN.wCXUz0C encrypted privilege 15

username ryan password esjVcPBkxKv5/kd4 encrypted privilege 15

smtp-server 10.10.220.50 10.10.220.12

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command uauth

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

Cryptochecksum:08ce842567f3902a3dd22fe93b0ddc0d

: end

edge(config-if)#

Collin Clark · ‎08-12-2010

Can you create an ACL with permit ip any any and apply it to the dhcp interface? I don't remember if an ACL is needed between same security interfaces. This will just be a quick test.

access-list dhcp_access extended permit ip any any

access-group dhcp_access in interface LANDHCP

stephilewis · ‎08-12-2010

what is dhcp_access

stephilewis · ‎08-12-2010

I take it you ment landhcp_access

Collin Clark · ‎08-12-2010

You can name the access list anything you like, I just named it dhcp_access.

stephilewis · ‎08-12-2010

ok i completed the task i am permitting all ip traffic both ways without success, oddly enough from the workstation i cannot ping the gateway which is the landhcp interface. from the console i can ping the landhcp but not past this.

Collin Clark · ‎08-12-2010

Can you run the packet trace with the ACL applied and post the results?