Solved: ASA: Traffic between inside interfaces.

Ulrik Thorup · ‎07-08-2010

Hi all!

I am having a NAT/ACL problem in my home network after I’ve migrated from Zyxel to Cisco.

I used to have a Zywall5 with LAN and DMZ network. The LAN was for my own units and the DMZ was for visitors in my home. On my LAN I had a printserver which DMZ users needed access to sometimes. I just made a firewall rule allowing TCP/515 from DMZ to LAN on the Zywall5 – working fine.

Now I am trying to do the same with my Cisco ASA – and OMG – this is not easy. I have to allow traffic from a VLAN with security level 50 to a VLAN with security level 100 – but only to the printserver.

I am not a CLI expert, so I have been working on this problem in ASDM. I tried many different things suggested by Cisco support documents without any luck. It doesn’t make it easier with Ciscos new NAT-concept, as I am on firmware 8.3(1) on my 5505.

I worked a little with ASAs some time ago and I recall NAT exempt, but this doesn’t exist anymore. As I see it, Cisco suggest you make two static NAT rules to do this, and some ACL magic, and this is where I am stuck now.

It should be very simple – I just need traffic (all or just tcp/515) from my 10.20.33.0/24 network to one host (printserver 10.20.30.3) on my 10.20.30.0/24 network.

I have attached a simple network diagram and my running-config from the ASA.

Hope someone can guide me a little.

Thanks in advance.

/Ulrik

** running-config **

: Saved
:
ASA Version 8.3(1)
!
hostname asa5505
domain-name cisco.com
enable password xxxxxxx encrypted
passwd xxxxxx encrypted
names
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan30
nameif inside.30.LAN
security-level 100
ip address 10.20.30.1 255.255.255.0
!
interface Vlan31
nameif inside.31.DMZ
security-level 30
ip address 10.20.31.1 255.255.255.0
!
interface Vlan32
nameif inside.32.PIR
security-level 50
ip address 10.20.32.1 255.255.255.0
!
interface Vlan33
nameif inside.33.LAN2
security-level 50
ip address 10.20.33.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 30
!
interface Ethernet0/3
switchport access vlan 30
!
interface Ethernet0/4
switchport access vlan 30
switchport trunk allowed vlan 30-33
switchport trunk native vlan 30
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 30
switchport trunk allowed vlan 30-33
switchport trunk native vlan 30
switchport mode trunk
!
interface Ethernet0/6
switchport access vlan 30
!
interface Ethernet0/7
switchport access vlan 30
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name thorup.dk
object network obj-10.20.30.0
subnet 10.20.30.0 255.255.255.0
object network obj-10.20.31.0
subnet 10.20.31.0 255.255.255.0
object network obj-10.20.32.0
subnet 10.20.32.0 255.255.255.0
object network obj-10.20.33.0
subnet 10.20.33.0 255.255.255.0
object network obj-10.20.32.30
host 10.20.32.30
access-list outside_access_in remark share
access-list outside_access_in extended permit tcp any object obj-10.20.32.30 eq 56000
pager lines 24
logging enable
logging trap notifications
logging asdm notifications
logging host inside.30.LAN 10.20.30.11
mtu outside 1500
mtu inside.30.LAN 1500
mtu inside.31.DMZ 1500
mtu inside.32.PIR 1500
mtu inside.33.LAN2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
!
object network obj-10.20.30.0
nat (inside.30.LAN,outside) dynamic interface
object network obj-10.20.31.0
nat (inside.31.DMZ,outside) dynamic interface
object network obj-10.20.32.0
nat (inside.32.PIR,outside) dynamic interface
object network obj-10.20.33.0
nat (inside.33.LAN2,outside) dynamic interface
object network obj-10.20.32.30
nat (inside.32.PIR,outside) static interface service tcp 56000 56000
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.20.30.0 255.255.255.0 inside.30.LAN
http 10.20.32.30 255.255.255.255 inside.32.PIR
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.20.30.0 255.255.255.0 inside.30.LAN
ssh timeout 10
console timeout 0
dhcpd address 10.20.30.30-10.20.30.100 inside.30.LAN
dhcpd auto_config outside interface inside.30.LAN
dhcpd enable inside.30.LAN
!
dhcpd address 10.20.31.30-10.20.31.100 inside.31.DMZ
dhcpd auto_config outside interface inside.31.DMZ
dhcpd enable inside.31.DMZ
!
dhcpd address 10.20.32.30-10.20.32.30 inside.32.PIR
dhcpd dns 208.67.222.222 208.67.220.220 interface inside.32.PIR
dhcpd enable inside.32.PIR
!
dhcpd address 10.20.33.30-10.20.33.100 inside.33.LAN2
dhcpd auto_config outside interface inside.33.LAN2
dhcpd enable inside.33.LAN2
!

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.20.30.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.20.32.0 255.255.255.0
threat-detection scanning-threat shun duration 300
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 195.234.155.123 source outside
ntp server 78.109.215.91 source outside
ntp server 77.233.251.106 source outside
webvpn
username ulrik password LlM1zI1mbsdx0S1t encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:9ab4e2078ada23e631e450690f31c5e9
: end

Nagaraja Thanthry · ‎07-08-2010

Hello,

Please try pasting the following configuration into command line (if you are using ASDM, you can go to tools--> command line --> multiple lines).

object network obj-10.20.30.3
host 10.20.30.3
nat (inside.30.LAN,inside.33.LAN2) static 10.20.30.3

access-list inside_33_LAN2 permit tcp any host 10.20.30.3 eq 515
access-list inside_33_LAN2 deny ip any 10.20.30.0 255.255.255.0
access-list inside_33_LAN2 permit ip any any

access-group inside_33_LAN2 in interface inside.33.LAN2

Hope this helps.

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎07-08-2010