11-15-2011 05:35 AM - edited 03-11-2019 02:50 PM
I'm going nuts with this ASA5505. This is a secondary firewall used only in emergencies when the primary Checkpoint failes.
The basics, it has two trusted interfaces, E0/1 and E0/2-6. E0/1, inside2 has 192.168.01/29 and inside is 192.168.200.1/24. I'd like any traffic to be allowed from inside and inside2 to outside and any traffic from the inside interfaces should be routed. No restrictions should apply between the two interfaces.
inside works just fine but no traffic is going out of inside2, not to outside or to inside.
Solved! Go to Solution.
11-15-2011 06:21 AM
same-security-traffic permit inter-interface command seems to be missing in this config which will allow inside to communicate inside2.
11-15-2011 05:39 AM
Cna you share your configuraion? That woudl make it easier.
Varun
11-15-2011 05:48 AM
ASA5505# show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname ASA5505
enable password d5uVb34W3WysZeUQ encrypted
passwd d5uVb34W3WysZeUQ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 91.150.44.37 255.255.255.248
!
interface Vlan15
nameif inside2
security-level 100
ip address 192.168.0.1 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 15
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list dmz_access_in remark Implicit rule: Permit all traffic to less secure networks
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq ssh
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
mtu inside2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside control-plane
route outside 0.0.0.0 0.0.0.0 91.150.44.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.200.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 87.108.20.70 source outside prefer
webvpn
username admin01 password SMkUnOJcgOVHlyRx encrypted privilege 15
!
!
prompt hostname context
Cryptochecksum:05f052044953a19c020dcf217571cd86
: end
Trying to figure out the rules, so right now it's just the basic setup. Getting interface2 out to the internet would be an improvment. inside works for the moment but I can't access inside2 from inside.
11-15-2011 06:21 AM
same-security-traffic permit inter-interface command seems to be missing in this config which will allow inside to communicate inside2.
11-15-2011 06:39 AM
I might have been a little hasty. The traffic flows between the two inside networks now, but inside2 still can't access the outside. Even if the rules for Inside and Inside2 are the same.
11-15-2011 06:43 AM
Add this in your configuration then test the connections.
nat (inside2) 1 0.0.0.0 0.0.0.0
Thanks
Ajay
11-15-2011 06:43 AM
I forgot the dynamic nat rule while testing. So everything works as it should now. Thanks guys.
11-15-2011 06:47 AM
While we are here, in inside2 there is a router 192.168.0.2 and behind it is the 192.168.100.0/24 network. To get the ASA to route to it I only need to add a static route right?
11-15-2011 06:49 AM
Yes
route inside2 x.x.x.x x.x.x.x pointing to 192.168.0.2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide