10-11-2011 10:28 AM - edited 03-11-2019 02:36 PM
Howdy Folks,
I've been trying to figure this one out for quite a while. I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones). I have not been able to get any traffic between the interfaces. With the current setup it was not a major problem. With the new setup it will be a major problem.
I believe I have over thought the problem and probably done more than is needed. Below is a sanitized version of the config.
Thank you for any help you can give me.
Pat
---------------------------------------------------------------------
ASA Version 8.2(1)
!
hostname BOB
dns-guard
!
interface Ethernet0/0
description Internet External Network
speed 100
duplex full
nameif outside
security-level 0
ip address 10.10.10.10 255.255.255.248
!
interface Ethernet0/1
description Internal Network
nameif inside
security-level 100
ip address 192.168.0.190 255.255.255.0
!
interface Ethernet0/2
description T1 Network
nameif Outside-T1
security-level 0
ip address 10.11.11.11 255.255.255.248
!
interface Ethernet0/3
description VOIP Phones
nameif Inside-Phone
security-level 100
ip address 192.168.3.190 255.255.255.0
!
interface Management0/0
description Clients & Wireless workstations
nameif Inside1
security-level 100
ip address 192.168.7.190 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.0.241
name-server 192.168.0.242
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list Inside-Phone_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
access-list Inside-Phone_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Inside-Phone_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list Inside-Phone_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 any
access-list inside1_nat0_outbound extended permit ip any 192.168.7.0 255.255.255.0
access-list inside1_nat0_outbound extended permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside1_nat0_outbound extended permit ip 192.168.7.0 255.255.255.0 192.168.3.0 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface Outside-T1
ipv6 access-list inside_access_ipv6_in deny ip any any
ipv6 access-list Inside-Phone_access_ipv6_in deny ip any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any echo-reply Outside-T1
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (Outside-T1) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
nat (Inside-Phone) 0 access-list Inside-Phone_nat0_outbound
nat (Inside-Phone) 1 192.168.3.0 255.255.255.0
nat (Inside-Phone) 10 0.0.0.0 0.0.0.0
nat (Inside1) 0 access-list inside_nat0_outbound
nat (Inside1) 1 192.168.7.0 255.255.255.0
nat (Inside1) 10 0.0.0.0 0.0.0.0
static (inside,outside) 70.90.54.66 192.168.0.217 netmask 255.255.255.255
static (inside,outside) 70.90.54.67 192.168.0.219 netmask 255.255.255.255
static (inside,outside) 70.90.54.68 192.168.0.201 netmask 255.255.255.255
static (inside,outside) 70.90.54.69 192.168.0.202 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 10.10.10.9 1
route Outside-T1 0.0.0.0 0.0.0.0 10.11.11.9 150
dynamic-access-policy-record DfltAccessPolicy
!
!
priority-queue Outside-T1
queue-limit 2000
tx-ring-limit 200
priority-queue Inside-Phone
queue-limit 2000
tx-ring-limit 200
!
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect icmp
policy-map Outside-T1-VOIP-policy
description Policy for VOIP traffic on Outside-T1 interface
class VOIP
priority
!
service-policy global_policy global
: end
Message was edited by: Patrick O'Malley
Solved! Go to Solution.
10-11-2011 05:23 PM
Hello Patrick,
I did a lab recreation to help you on this and I can tell you that the configuration its fine.
In our lab the connections between these two interfaces were accepted by the ASA.
One question, Are you able to ping from to 192.168.0.195 192.168.7.197 and backwards ???
10-11-2011 10:44 AM
Hello Patrick,
Would you mind to provide us the output of the following packet tracers?
packet-tracer input inside tcp 192.168.0.195 1025 192.168.7.197 80
packet-tracer input inside1 tcp 192.168.7.197 1025 192.168.0.195 80
Regards,
Julio
10-11-2011 11:20 AM
Happy to.
-------------------------------------------------
BOB# packet-tracer input inside tcp 192.168.0.195 1025 192.168.7.197 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.7.0 255.255.255.0 Inside1
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq www
access-list inside_access_in remark External secure web access allowed
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.0.0 255.255.255.0 Inside1 192.168.7.0 255.255.255.0
NAT exempt
translate_hits = 1, untranslate_hits = 0
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 192.168.0.0 255.255.255.0
match ip inside 192.168.0.0 255.255.255.0 Inside1 any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 192.168.0.0 255.255.255.0
match ip inside 192.168.0.0 255.255.255.0 outside any
dynamic translation to pool 1 (70.90.54.65 [Interface PAT])
translate_hits = 7768606, untranslate_hits = 334687
Additional Information:
Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside1) 1 192.168.7.0 255.255.255.0
match ip Inside1 192.168.7.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 12
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside1) 1 192.168.7.0 255.255.255.0
match ip Inside1 192.168.7.0 255.255.255.0 outside any
dynamic translation to pool 1 (70.90.54.65 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 20102140, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
BOB# packet-tracer input inside1 tcp 192.168.7.197 1025 192.168.0.195 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip Inside1 any inside 192.168.0.0 255.255.255.0
NAT exempt
translate_hits = 1, untranslate_hits = 1
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside1) 1 192.168.7.0 255.255.255.0
match ip Inside1 192.168.7.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside1) 1 192.168.7.0 255.255.255.0
match ip Inside1 192.168.7.0 255.255.255.0 outside any
dynamic translation to pool 1 (70.90.54.65 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 192.168.0.0 255.255.255.0
match ip inside 192.168.0.0 255.255.255.0 Inside1 any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 192.168.0.0 255.255.255.0
match ip inside 192.168.0.0 255.255.255.0 outside any
dynamic translation to pool 1 (70.90.54.65 [Interface PAT])
translate_hits = 7768659, untranslate_hits = 334687
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 20102371, packet dispatched to next module
Result:
input-interface: Inside1
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
10-11-2011 11:25 AM
At thsi stage, I would not rely on packet-tracer, I woudl suggest takeh captures and logs simaltaneously and check where the traffic is getting dropped, and what reason?
Captures:
https://supportforums.cisco.com/docs/DOC-17814
Thanks,
Varun
10-11-2011 11:43 AM
Hello Patrick,
As we could see on the Packet-tracer output the connections are being accepted by the ASA.
Now lets do some captures to find out what is happening with this traffic.
Lets start with an ASP-drop capture
-capture asp type asp-drop all
-------------------------------------------------------------------------------
Then lets do one from the connections being build from one inside host to a inside1 host.
access-list capin permit ip host 192.168.0.195 host 192.168.7.197
access-list capin permit ip host 192.168.7.197 eq host 192.168.0.195
capture capin access-list capin interface inside
*********************************************************************
access-list capin1 permit ip host 192.168.0.195 host 192.168.7.197
access-list capin1 permit ip host 192.168.7.197 host 192.168.0.195
capture capin1 access-list capin1 interface inside1
**********************************************************
Now you can give us the output of the following
-Show cap asp | include 192.168.0.195
-Show cap asp | include 192.168.7.197
Then download the captures capin and capin1 on a pcap file, you will need to be able to access the ASA via Https.
for this go to a browser in a PC located on the inside interface and attached it to this discussion.
-https:// 192.168.0.190/capture/capin/pcap
-https:// 192.168.0.190/capture/capin1/pcap
Hope this helps.
Julio
10-11-2011 03:49 PM
Howdy,
Here are the results of the Show cap commands
BOB# Show cap asp | include 192.168.0.196
131: 18:03:03.215976 192.168.0.196.138 > 192.168.0.255.138: udp 201
449: 18:04:18.479848 192.168.0.196.138 > 192.168.0.255.138: udp 214
BOB# Show cap asp | include 192.168.7.197
408: 18:04:03.354672 192.168.7.197.138 > 192.168.7.255.138: udp 213
10-11-2011 04:39 PM
Hi Patrick,
Can you save them on .dat format and send them to us.
When I open the file I did not see anything.
Regarding the ASP capture we can see that the ASA is not dropping the connections between both interfaces as wee did not see any drops.
Regards.
10-11-2011 05:23 PM
Hello Patrick,
I did a lab recreation to help you on this and I can tell you that the configuration its fine.
In our lab the connections between these two interfaces were accepted by the ASA.
One question, Are you able to ping from to 192.168.0.195 192.168.7.197 and backwards ???
10-11-2011 05:40 PM
192.168.0.195 to 192.168.7.197 and viceversa works. Thanks!
Would you try 192.168.0.195 to 192.168.3.197 in the simulator? I still can not ping between them.
10-11-2011 05:49 PM
Hello Patrick.
I did it in on our ASAs lab, and both of them worked.
Have you checked that both of them have the windows firewall disabled.
Regards,
10-11-2011 06:07 PM
They are all working smoothly now. The 192.168.3.x device was a switch that had the wrong ip address setup on it.
Thank you again for all of your help.
10-11-2011 09:14 PM
Hello Patrick,
Good to hear that everything is working fine.
Hope you have a great day.
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide