Solved: ASA5510: Traffic between multiple inside interfaces

PO'Malley · ‎10-11-2011

Howdy Folks,

I've been trying to figure this one out for quite a while. I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones). I have not been able to get any traffic between the interfaces. With the current setup it was not a major problem. With the new setup it will be a major problem.

I believe I have over thought the problem and probably done more than is needed. Below is a sanitized version of the config.

Thank you for any help you can give me.

Pat

---------------------------------------------------------------------

ASA Version 8.2(1)

!

hostname BOB

dns-guard

!

interface Ethernet0/0

description Internet External Network

speed 100

duplex full

nameif outside

security-level 0

ip address 10.10.10.10 255.255.255.248

!

interface Ethernet0/1

description Internal Network

nameif inside

security-level 100

ip address 192.168.0.190 255.255.255.0

!

interface Ethernet0/2

description T1 Network

nameif Outside-T1

security-level 0

ip address 10.11.11.11 255.255.255.248

!

interface Ethernet0/3

description VOIP Phones

nameif Inside-Phone

security-level 100

ip address 192.168.3.190 255.255.255.0

!

interface Management0/0

description Clients & Wireless workstations

nameif Inside1

security-level 100

ip address 192.168.7.190 255.255.255.0

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.0.241

name-server 192.168.0.242

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list Inside-Phone_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0

access-list Inside-Phone_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list Inside-Phone_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list Inside-Phone_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 any

access-list inside1_nat0_outbound extended permit ip any 192.168.7.0 255.255.255.0

access-list inside1_nat0_outbound extended permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside1_nat0_outbound extended permit ip 192.168.7.0 255.255.255.0 192.168.3.0 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface Outside-T1

ipv6 access-list inside_access_ipv6_in deny ip any any

ipv6 access-list Inside-Phone_access_ipv6_in deny ip any any

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any echo-reply Outside-T1

asdm history enable

arp timeout 14400

global (outside) 1 interface

global (Outside-T1) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.0.0 255.255.255.0

nat (inside) 10 0.0.0.0 0.0.0.0

nat (Inside-Phone) 0 access-list Inside-Phone_nat0_outbound

nat (Inside-Phone) 1 192.168.3.0 255.255.255.0

nat (Inside-Phone) 10 0.0.0.0 0.0.0.0

nat (Inside1) 0 access-list inside_nat0_outbound

nat (Inside1) 1 192.168.7.0 255.255.255.0

nat (Inside1) 10 0.0.0.0 0.0.0.0

static (inside,outside) 70.90.54.66 192.168.0.217 netmask 255.255.255.255

static (inside,outside) 70.90.54.67 192.168.0.219 netmask 255.255.255.255

static (inside,outside) 70.90.54.68 192.168.0.201 netmask 255.255.255.255

static (inside,outside) 70.90.54.69 192.168.0.202 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 10.10.10.9 1

route Outside-T1 0.0.0.0 0.0.0.0 10.11.11.9 150

dynamic-access-policy-record DfltAccessPolicy

!

priority-queue Outside-T1

queue-limit 2000

tx-ring-limit 200

priority-queue Inside-Phone

queue-limit 2000

tx-ring-limit 200

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect icmp

policy-map Outside-T1-VOIP-policy

description Policy for VOIP traffic on Outside-T1 interface

class VOIP

priority

!

service-policy global_policy global

: end

Message was edited by: Patrick O'Malley

Julio Carvajal · ‎10-11-2011

Hello Patrick,

I did a lab recreation to help you on this and I can tell you that the configuration its fine.

In our lab the connections between these two interfaces were accepted by the ASA.

One question, Are you able to ping from to 192.168.0.195 192.168.7.197 and backwards ???

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-11-2011

Hello Patrick,

Would you mind to provide us the output of the following packet tracers?

packet-tracer input inside tcp 192.168.0.195 1025 192.168.7.197 80

packet-tracer input inside1 tcp 192.168.7.197 1025 192.168.0.195 80

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

PO'Malley · ‎10-11-2011

Happy to.

-------------------------------------------------

BOB# packet-tracer input inside tcp 192.168.0.195 1025 192.168.7.197 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.7.0 255.255.255.0 Inside1

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.0.0 255.255.255.0 inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq www

access-list inside_access_in remark External secure web access allowed

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip inside 192.168.0.0 255.255.255.0 Inside1 192.168.7.0 255.255.255.0

NAT exempt

translate_hits = 1, untranslate_hits = 0

Additional Information:

Phase: 8

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 192.168.0.0 255.255.255.0

match ip inside 192.168.0.0 255.255.255.0 Inside1 any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 10

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 192.168.0.0 255.255.255.0

match ip inside 192.168.0.0 255.255.255.0 outside any

dynamic translation to pool 1 (70.90.54.65 [Interface PAT])

translate_hits = 7768606, untranslate_hits = 334687

Additional Information:

Phase: 11

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (Inside1) 1 192.168.7.0 255.255.255.0

match ip Inside1 192.168.7.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 12

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside1) 1 192.168.7.0 255.255.255.0

match ip Inside1 192.168.7.0 255.255.255.0 outside any

dynamic translation to pool 1 (70.90.54.65 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 13

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 20102140, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

BOB# packet-tracer input inside1 tcp 192.168.7.197 1025 192.168.0.195 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.0.0 255.255.255.0 inside

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip Inside1 any inside 192.168.0.0 255.255.255.0

NAT exempt

translate_hits = 1, untranslate_hits = 1

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside1) 1 192.168.7.0 255.255.255.0

match ip Inside1 192.168.7.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside1) 1 192.168.7.0 255.255.255.0

match ip Inside1 192.168.7.0 255.255.255.0 outside any

dynamic translation to pool 1 (70.90.54.65 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside) 1 192.168.0.0 255.255.255.0

match ip inside 192.168.0.0 255.255.255.0 Inside1 any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 11

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 192.168.0.0 255.255.255.0

match ip inside 192.168.0.0 255.255.255.0 outside any

dynamic translation to pool 1 (70.90.54.65 [Interface PAT])

translate_hits = 7768659, untranslate_hits = 334687

Additional Information:

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 20102371, packet dispatched to next module

Result:

input-interface: Inside1

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

varrao · ‎10-11-2011

At thsi stage, I would not rely on packet-tracer, I woudl suggest takeh captures and logs simaltaneously and check where the traffic is getting dropped, and what reason?

Captures:

https://supportforums.cisco.com/docs/DOC-17814

Thanks,

Varun

Thanks,
Varun Rao

Julio Carvajal · ‎10-11-2011

Hello Patrick,

As we could see on the Packet-tracer output the connections are being accepted by the ASA.

Now lets do some captures to find out what is happening with this traffic.

Lets start with an ASP-drop capture

-capture asp type asp-drop all

-------------------------------------------------------------------------------

Then lets do one from the connections being build from one inside host to a inside1 host.

access-list capin permit ip host 192.168.0.195 host 192.168.7.197

access-list capin permit ip host 192.168.7.197 eq host 192.168.0.195

capture capin access-list capin interface inside

*********************************************************************

access-list capin1 permit ip host 192.168.0.195 host 192.168.7.197

access-list capin1 permit ip host 192.168.7.197 host 192.168.0.195

capture capin1 access-list capin1 interface inside1

**********************************************************

Now you can give us the output of the following

-Show cap asp | include 192.168.0.195

-Show cap asp | include 192.168.7.197

Then download the captures capin and capin1 on a pcap file, you will need to be able to access the ASA via Https.

for this go to a browser in a PC located on the inside interface and attached it to this discussion.

-https:// 192.168.0.190/capture/capin/pcap

-https:// 192.168.0.190/capture/capin1/pcap

Hope this helps.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

PO'Malley · ‎10-11-2011

Howdy,

Here are the results of the Show cap commands

BOB# Show cap asp | include 192.168.0.196

131: 18:03:03.215976 192.168.0.196.138 > 192.168.0.255.138: udp 201

449: 18:04:18.479848 192.168.0.196.138 > 192.168.0.255.138: udp 214

BOB# Show cap asp | include 192.168.7.197

408: 18:04:03.354672 192.168.7.197.138 > 192.168.7.255.138: udp 213

Julio Carvajal · ‎10-11-2011

Hi Patrick,

Can you save them on .dat format and send them to us.

When I open the file I did not see anything.

Regarding the ASP capture we can see that the ASA is not dropping the connections between both interfaces as wee did not see any drops.

Regards.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎10-11-2011

Hello Patrick,

I did a lab recreation to help you on this and I can tell you that the configuration its fine.

In our lab the connections between these two interfaces were accepted by the ASA.

One question, Are you able to ping from to 192.168.0.195 192.168.7.197 and backwards ???

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

PO'Malley · ‎10-11-2011

192.168.0.195 to 192.168.7.197 and viceversa works. Thanks!

Would you try 192.168.0.195 to 192.168.3.197 in the simulator? I still can not ping between them.

Julio Carvajal · ‎10-11-2011

Hello Patrick.

I did it in on our ASAs lab, and both of them worked.

Have you checked that both of them have the windows firewall disabled.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

PO'Malley · ‎10-11-2011

They are all working smoothly now. The 192.168.3.x device was a switch that had the wrong ip address setup on it.

Thank you again for all of your help.

Julio Carvajal · ‎10-11-2011

Hello Patrick,

Good to hear that everything is working fine.

Hope you have a great day.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC