Solved: assist , how do i allow hosts in inside segment to reach out segment and vice versa taking into acco...

CSCO11839734 · ‎05-26-2013

ASA Version 7.0(8)

!

hostname BUJ-IT-ASA-LAN-2

domain-name leo.bi

enable password MgKXXPviZgW4zhKc encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

description connects ucom lan

nameif inside

security-level 100

ip address 192.168.0.13 255.255.248.0

!

interface Ethernet0/1

description out interface

nameif outside

security-level 0

ip address 192.168.254.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

no failover

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username UcomIT password Tx95VR7l4gIiavnh encrypted

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.248.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.0.0 255.255.248.0 inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

Cryptochecksum:ba068a6f85d256ce9351d903c60873e5

: end

Jouni Forss · ‎05-26-2013

Hi,

If you want to make sure that the 2 networks can communicate with eachother without any NAT then you can configure

access-list INSIDE-NAT0 permit ip 192.168.0.0 255.255.248.0 192.168.254.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

Then you can configure an ACL/access-list on the "outside" interface to allow the traffic/connections you need.

For example

access-list OUTSIDE-IN permit tcp 192.168.254.0 255.255.255.0 host 192.168.0.100 eq 80

access-list OUTSIDE-IN permit tcp 192.168.254.0 255.255.255.0 host 192.168.0.100 eq 443

access-group OUTSIDE-IN in interface outside

The ACL rules you configure naturally depend on your needs. The "access-group" command has to be issued only once as it attaches the ACL named "OUTSIDE-IN" to the "outside" interface.

- Jouni

View solution in original post

Jouni Forss · ‎05-26-2013

Hi,

By default if you dont configure any ACL/access-list on the device then all devices on the higher "security-level" interface can communicate with any devices on the lower "security-level" interfaces. Or rather that is the direction in which connections are allowed by default.

I notice that you dont have a default route configured on your ASA

You need

route outside 0.0.0.0 0.0.0.0 x.x.x.x

Where the x.x.x.x is the IP address of the gateway device. Replace it with the IP address of your Internet gateway device.

Also I am not quite clear on your Internet connection setup but it would seem to me as I said in the previous discussion that you probably have some other device in front of the ASA doing NAT. Make sure it has a route for the LAN network behind the "inside" interface of the ASA.

- Jouni

CSCO11839734 · ‎05-26-2013

ok. the thing is , it a trial setup which i want to impliment in my network . assume that the 192.168.0.0 /21 is my inside network and the 192.168 254.0 /24 is just a HR segment , how do i allow outside devices to get to HR ...and vice versa

thanks once again

Jouni Forss · ‎05-26-2013

Hi,

If you want to make sure that the 2 networks can communicate with eachother without any NAT then you can configure

access-list INSIDE-NAT0 permit ip 192.168.0.0 255.255.248.0 192.168.254.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

Then you can configure an ACL/access-list on the "outside" interface to allow the traffic/connections you need.

For example

access-list OUTSIDE-IN permit tcp 192.168.254.0 255.255.255.0 host 192.168.0.100 eq 80

access-list OUTSIDE-IN permit tcp 192.168.254.0 255.255.255.0 host 192.168.0.100 eq 443

access-group OUTSIDE-IN in interface outside

The ACL rules you configure naturally depend on your needs. The "access-group" command has to be issued only once as it attaches the ACL named "OUTSIDE-IN" to the "outside" interface.

- Jouni

CSCO11839734 · ‎05-26-2013

- Jouni

sir , am still stuck since after implimenting my acl rules as you assisted me , i can only ping my gateway from both segments but cant ping the other segment , am wondering how to allow traffic to pass both segments ..

Jouni Forss · ‎05-26-2013

Hi,

Its success really depends on the rest of the network that I dont know about.

If you hosts that you are using to PING/ICMP through the ASA are connected to the same network as the ASAs interface then you will have to make sure that the hosts both have routes towards the other network.

Also if on the "outside" of the ASA there are additional networking devices then you have to configure default route on the ASA also as mentioned in the other discussion.

route outside 0.0.0.0 0.0.0.0

The above replys ACL was just an example of the configuration format. If you wanted to allow ICMP then you would also have to allow ICMP

access-list OUTSIDE-IN permit icmp 192.168.254.0 255.255.255.0 192.168.0.0 255.255.248.0 echo

I dont see anything else wrong with the ASA configuration related to ICMP other than possibly the lacking of default route and allowing the ICMP from the "outside" with the ACL "OUTSIDE-IN".

Go through the network setup from one host to the other. On each step confirm that that device has route towards both of the networks. Otherwise the devices will naturally not be able to forward the ICMP messages from end to end.

- Jouni

CSCO11839734 · ‎05-26-2013

ok...let me do that and i will get back to you.

thanks

assist , how do i allow hosts in inside segment to reach out segment and vice versa taking into account the security levels