Thanks for the reply. Is there a way to do this for a network rather than a host?

My main subnet is 10.30.x.x and I have a qa environment with 3 vlans and those subnets are to be locked down from one another via rule sets. The networks are 10.16.48, 10.16.100 and 10.16.101 respectively. I'm using the 4th interface as inside and to manage the ASA. I need to be able to rdp from 10.30.x.x into those machines.

Did I explain that properly? Thanks for all the help so far!

And in case it isn't obvious this is all internal no vpns etc.

HI Jerry,

Still a bit unclear, behind which interface do u have 10.30.xx.xx and behind which interafce do you have the three subnets???

What version of ASA are you using??

-Varun

The 10.30.x.x is coming in thru E0/0 which I have labeled inside. This is all internal no outside interfaces. The other 3 subnets are on e0/1 2 and 3. ASDM is 6.4 and I don't recall asa but it's 8.x

Then you migth need this:

static (,inside) 10.16.48.0 10.16.48.0

static (,inside) 10.16.100.0 10.16.100.0

static (,inside) 10.16.101.0 10.16.101.0

apart from that not sure if you have any interafce ACL's on inside interface, so you may need to allow the traffic there as well.

Thats the reason why I needed the interface names, moreover if you have "no nat-control" enabled then you would not even need this static statements, just the ACL would do. This is what I could gather from the information provided.

Moreover, if you are using any ASA version greater than 8.3, then this whole static statement would change, since there is a syntax change in it. So opening up the ASDM would help.

-Varun

Hi Jerry,

If all the subnets are behind the inside interface, then what you are trying to do is called hairpinnning the traffic, and you would need the following config:

static (inside,inside) 10.16.48.0 10.16.48.0 norand nailed

static (inside,inside) 10.16.100.0 10.16.100.0 norand nailed

static (inside,inside) 10.16.101.0 10.16.101.0 norand nailed

nat (inside) 1 0.0.0.0 0.0.0.0

global (inside) 1 interface

same-security-traffic permit intra-interface.

Hoep this is what you were looking for.

Thanks,

Varun

Here's my config:

Result of the command: "sh run"

: Saved

:

ASA Version 8.0(5)

!

hostname

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.0.0.199 255.255.255.0

!

interface Ethernet0/1

nameif 48

security-level 100

ip address 10.16.48.1 255.255.255.0

!

interface Ethernet0/2

nameif 100

security-level 100

ip address 10.16.100.1 255.255.255.0

!

interface Ethernet0/3

nameif 101

security-level 100

ip address 10.16.101.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa805-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name daxko

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any any

access-list 100_access_in extended permit icmp any any

access-list 100_access_in extended permit ip any any

access-list 100_access_in extended permit tcp any any

access-list 100_access_in extended permit udp any any

access-list 48_access_in extended permit icmp any any

access-list 48_access_in extended permit ip any any

access-list 48_access_in extended permit tcp any any

access-list 48_access_in extended permit udp any any

access-list 101_access_in extended permit ip any any

access-list 48_access_out extended permit icmp any any

access-list 48_access_out extended permit ip any any inactive

access-list 48_access_out extended permit tcp any any inactive

access-list 48_access_out extended permit udp any any inactive

access-list 100_access_out extended permit icmp any any

access-list 100_access_out extended permit tcp any any inactive

access-list 100_access_out extended permit udp any any inactive

access-list 100_access_out extended permit ip any any inactive

access-list inside_access_out extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu 48 1500

mtu 100 1500

mtu 101 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

global (48) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group 48_access_in in interface 48

access-group 48_access_out out interface 48

access-group 100_access_in in interface 100

access-group 100_access_out out interface 100

access-group 101_access_in in interface 101

route inside 0.0.0.0 0.0.0.0 10.0.0.199 1

route inside 10.2.0.0 255.255.255.0 Gateway 1

route inside 10.10.0.0 255.255.255.0 Gateway 1

route inside 10.30.0.0 255.255.255.0 Gateway 1

route inside 10.31.0.0 255.255.255.0 Gateway 1

route inside 10.32.0.0 255.255.255.0 Gateway 1

route inside 10.33.0.0 255.255.255.0 Gateway 1

route inside 10.34.0.0 255.255.255.0 Gateway 1

route inside 10.252.252.0 255.255.255.0 Gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.32.0.0 255.255.255.0 inside

http 10.30.0.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

client-update enable

telnet 10.30.0.0 255.255.255.0 inside

telnet 10.32.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

  message-length maximum client auto

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:70805219682c54ff5366e7de8d98fef9

: end

then you would need just these:

static (48,inside) 10.16.48.0 10.16.48.0

static (100,inside) 10.16.100.0 10.16.100.0

static (101,inside) 10.16.101.0 10.16.101.0

Try it and let me know if this works.

Thanks,

Varun

I added those and I still cannot reach any of the subnets. (Thanks so much for your help so far) Any other ideas?

Hi Jerry,

We then might to go the troubleshooting way:

packet-tracer input inside tcp 2345 3389 detailed

can you provide one output of this command.

-Varun

Result of the command: "packet-tracer input inside tcp 10.30.0.23 2345 10.16.48.170 3389"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.16.48.0      255.255.255.0   48

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

  match ip inside any 48 any

    dynamic translation to pool 101 (10.16.48.1 [Interface PAT])

    translate_hits = 2, untranslate_hits = 0

Additional Information:

Dynamic translate 10.30.0.23/2345 to 10.16.48.1/46119 using netmask 255.255.255.255

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 101 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 7

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: 48

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule