Solved: ASA5510: enable communication between two internal networks.

Lybra1983 · ‎02-08-2011

Hello everybody,

I have on an ASA5510 two internal netoworks (inside and voip) and an outside netowork.

I would like two addresses of the inside network (10.1.1.1 and 10.1.1.2) to be able to access the whole voip network.

I made many trial with static, nat, acl but nothing worked: I actually always make mess with these commands... could you please help me doing this?

Here is the interesting part of the conf:

ASA Version 8.2(2)
!
names
name 10.245.8.0 ZZZ
name 10.245.4.0 UUU
name 10.245.0.0 CCC
name 10.245.255.0 NNN
name 10.245.16.0 LLL
name 10.245.12.0 FFF
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.224 standby xxx.xxx.xxx.xxy
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.3.1 255.255.248.0 standby 10.1.3.2
!
interface Ethernet0/2
nameif voip
security-level 100
ip address 10.245.0.1 255.255.255.0 standby 10.245.0.2
!
interface Ethernet0/3
description LAN Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name bally.ch
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip host 10.1.1.1 CCC 255.255.0.0
access-list inside_access_in extended permit ip host 10.1.1.2 CCC 255.255.0.0
access-list inside_access_in extended deny ip any any
access-list voip extended permit ip CCC 255.255.255.0 ZZZ 255.255.255.0
access-list voip extended permit ip CCC 255.255.255.0 FFF 255.255.255.0
access-list voip extended permit ip CCC 255.255.255.0 UUU 255.255.255.0
access-list voip extended permit ip CCC 255.255.255.0 NNN 255.255.255.0
access-list voip extended permit ip host 10.245.0.9 any
access-list voip extended permit ip host 10.245.0.10 any
access-list voip extended permit icmp any any
access-list voip extended permit ip host 10.245.0.200 any
access-list voip extended permit ip CCC 255.255.255.0 LLL 255.255.255.0
access-list voip extended permit ip any host 162.23.41.34
access-list voip extended permit ip host 10.245.0.100 any
access-list voip extended permit ip host 10.245.0.101 any
access-list voip extended permit ip host 10.245.0.102 any
access-list voip extended permit ip CCC 255.255.0.0 host 10.1.1.1
access-list voip extended permit ip CCC 255.255.0.0 host 10.1.1.2
access-list voip extended deny ip any any
access-list VPN extended permit ip CCC 255.255.255.0 ZZZ 255.255.255.0
access-list VPN extended permit ip CCC 255.255.255.0 FFF 255.255.255.0
access-list VPN extended permit ip CCC 255.255.255.0 UUU 255.255.255.0
access-list VPN extended permit ip CCC 255.255.255.0 NNN 255.255.255.252
access-list VPN extended permit ip CCC 255.255.255.0 LLL 255.255.255.0
access-list ZZZ-VoIP extended permit ip CCC 255.255.255.0 ZZZ 255.255.255.0
access-list FFF-VoIP extended permit ip CCC 255.255.255.0 FFF 255.255.255.0
access-list UUU-VoIP extended permit ip CCC 255.255.255.0 UUU 255.255.255.0
access-list REM extended permit ip CCC 255.255.255.0 NNN 255.255.255.0
access-list LLL-VoIP extended permit ip CCC 255.255.255.0 LLL 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu voip 1500
ip local pool vpnpool1 10.245.255.1-10.245.255.3 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover interface ip failover 10.1.254.1 255.255.255.252 standby 10.1.254.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (voip) 0 access-list VPN
nat (voip) 1 CCC 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group voip in interface voip
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxp 1
!
management-access voip
!
dhcpd dns 10.245.0.250
dhcpd ping_timeout 750
!
dhcpd address 10.245.0.105-10.245.0.110 voip
dhcpd enable voip
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map LIMIT_BAND
description Bandwidth Limits on VPNs
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
: end

Many thanks for your help and best regards.

Luca

Praveena Shanubhogue · ‎02-08-2011

Hi Luca,

I kind of ignored the existing "nat 0". Please add the following access-list entry for the traffic from voip to inside to get nat-exempted.

access-list VPN extended permit ip CCC 255.255.0.0 host 10.1.1.1
access-list VPN extended permit ip CCC 255.255.0.0 host 10.1.1.2

FYI, "nat () 0 access-list ", here "0" says that the traffic selected by the access-list in the statement needs to be nat-exempted. AND "nat () ...." requires a matching "global () ... " statement.

Let me know.

Regards,

Praveen

View solution in original post

Praveena Shanubhogue · ‎02-08-2011

Hi Luca,

Considering both "inside" and "voip" are at same security-level (100), no natting is required and only "same-security-traffic perm inter-interface" is required.

As far as access-list is considered,

On inside:

access-list inside_access_in extended permit ip host 10.1.1.1 CCC 255.255.0.0
access-list inside_access_in extended permit ip host 10.1.1.2 CCC 255.255.0.0
access-list inside_access_in extended deny ip any CCC 255.255.0.0

access-list inside_access_in extended permit ipany any

on voip:

access-list voip extended permit ip CCC 255.255.0.0 host 10.1.1.1
access-list voip extended permit ip CCC 255.255.0.0 host 10.1.1.2

access-list voip extended deny ip CCC 255.255.0.010.1.0.0 255.255.248.0

access-list voip extended permit ipany any

HTH

Regards,

Praveen

Lybra1983 · ‎02-08-2011

Hi Praveen,

I've just put the command "same-security-traffic perm inter-interface" but from my pc (10.1.1.2) I cannot ping hosts on voip network.

Any guess?

Thanks again.

Luca

Praveena Shanubhogue · ‎02-08-2011

Hi Luca,

Even though with "same-security-traffic perm inter-interface" we do not require NAT'ing between interfaces,

1... since we have a generic NAT'ing on the voip interface [ at (voip) 1 CCC 255.255.255.0 ]......

AND

2... We reuire bi-derectional traffic between voip and inside interface......

Cconfigure NAT'exemption on voip-interface:

access-list nat0_voip extended permit ip CCC 255.255.0.0 host 10.1.1.1
access-list nat0_voip extended permit ip CCC 255.255.0.0 host 10.1.1.2

nat (voip) 0 access-list nat0_voip

Let me know if that helps.

PS: this is based on the first post. So if the config has changed in the mean time, provide the following:

show run nat

show run global

show run static

show run access-g

show run access-list

Regards,

Praveen

Lybra1983 · ‎02-08-2011

Hi Praveen,

I already have a "nat (voip) 0" for the VPN, I cannot overwrite it.

So I've put the following commands:

access-list nat2_voip extended permit ip CCC 255.255.0.0 host 10.1.1.1
access-list nat2_voip extended permit ip CCC 255.255.0.0 host 10.1.1.2
nat (voip) 2 access-list nat2_voip

It's still not working, but actually I don't know if nat (voip) 2 is the same as nat (voip) 0

Thanks for your help.

Luca

Praveena Shanubhogue · ‎02-08-2011

Hi Luca,

I kind of ignored the existing "nat 0". Please add the following access-list entry for the traffic from voip to inside to get nat-exempted.

access-list VPN extended permit ip CCC 255.255.0.0 host 10.1.1.1
access-list VPN extended permit ip CCC 255.255.0.0 host 10.1.1.2

FYI, "nat () 0 access-list ", here "0" says that the traffic selected by the access-list in the statement needs to be nat-exempted. AND "nat () ...." requires a matching "global () ... " statement.

Let me know.

Regards,

Praveen

Lybra1983 · ‎02-08-2011

Many thanks Praveen, it's working now!!!