Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
756
Views
0
Helpful
1
Replies

CISCO ASA 5510 Communication between two internal Interfaces

netminator
Level 1
Level 1

‎06-12-2013 09:08 PM - edited ‎03-11-2019 06:57 PM

I've been following most of the comments in regarding how to allow communication between two internal networks on a ASA5510 8.2.5

But I am still a little confused about to how to set my firewall. I made chages to it and still do not have the desired results.

I need to allow comunication between Interface 0/1 and Interface 0/2. Please see configuration file with fake or dummy ip address below.

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name lxx.com

enable password xxxxxxxxxxx encrypted

passwd xxxxxxx encrypted

names

name a.a.a.1 Helpdesk

name b.b.b.5 OutsidePort245

name a.a.a.2 SVN

name a.a.a.1 Webportal

name c.c.c.2 Lxx2

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address b.b.b.4 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 50

ip address a.a.a.100 255.255.255.240

!

interface Ethernet0/2

nameif inside2

security-level 50

ip address d.d.d.80 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone cent

clock summer-time EDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server A.A.A.100

name-server X.X.1.65

name-server M.M.1.70

domain-name lxx.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service Helpdesk tcp

port-object eq ftp

port-object eq www

port-object eq https

port-object eq ssh

port-object eq smtp

object-group service SVN tcp

port-object eq https

port-object eq ssh

object-group service Webportal tcp

port-object eq ftp

port-object eq www

port-object eq https

port-object eq ssh

port-object eq smtp

access-list inside_access_in extended permit udp any any

access-list inside_access_in remark Test allow everything

access-list inside_access_in extended permit tcp any any object-group Webportal

access-list inside_access_in extended permit tcp A.A.A.96 255.255.255.240 eq https any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any any object-group SVN

access-list inside_access_in extended permit tcp any any object-group Helpdesk

access-list outside_access_in extended permit tcp any host Webportal object-group Webportal

access-list outside_access_in extended permit tcp any B.B.B.240 255.255.255.240

access-list outside_access_in extended permit tcp any host Helpdesk object-group Helpdesk

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any any object-group SVN

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu inside2 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 A.A.0.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside2) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp OutsidePort245 www Helpdesk www netmask 255.255.255.255

static (inside,outside) tcp OutsidePort245 https Helpdesk https netmask 255.255.255.255

static (inside,outside) tcp OutsidePort245 ssh Helpdesk ssh netmask 255.255.255.255

static (inside,outside) tcp interface www Webportal www netmask 255.255.255.255

static (inside,outside) tcp interface https Webportal https netmask 255.255.255.255

static (inside,outside) tcp interface ssh SVN ssh netmask 255.255.255.255

static (inside,outside) tcp interface 88 SVN 88 netmask 255.255.255.255

static (inside,outside) tcp interface smtp Webportal smtp netmask 255.255.255.255

static (outside,inside) tcp interface smtp 71.46.218.244 smtp netmask 255.255.255.255

static (outside,inside) tcp Webportal www B.B.B.4 www netmask 255.255.255.255

static (outside,inside) tcp Webportal https B.B.B.4 https netmask 255.255.255.255

static (outside,inside) tcp Webportal ssh B.B.B.4 ssh netmask 255.255.255.255

static (outside,inside) tcp SVN 88 B.B.B.4 88 netmask 255.255.255.255

static (outside,inside) tcp Helpdesk www OutsidePort245 www netmask 255.255.255.255

static (outside,inside) tcp Helpdesk https OutsidePort245 https netmask 255.255.255.255

static (outside,outside) tcp Helpdesk ssh OutsidePort245 ssh netmask 255.255.255.255

static (inside,outside) tcp OutsidePort245 smtp Helpdesk smtp netmask 255.255.255.255

static (outside,inside) tcp Helpdesk smtp OutsidePort245 smtp netmask 255.255.255.255

static (inside,inside2) A.A.0.0 D.D.1.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 B.B.241 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http D.D.1.0 255.255.255.0 inside

http A.A.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh A.A.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcp-client update dns server both

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username ADMIN encrypted

uername user encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

description ssh

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:adsfadsfadsfadf

: end

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎06-12-2013 09:21 PM

Hi,

same-security-traffic permit inter-interface= Check

access-list inside_access_in = As we are playing with dummies IP I do not know if you are allowing the right traffic, just hope so

do the following:

no static (inside,inside2) A.A.0.0 D.D.1.0 netmask 255.255.255.0

static (inside,inside2) a.a.a.x a.a.a.x netmask 255.255.255.240

static (inside2,inside) d.d.d.x d.d.d.x netmask 255.255.255.0

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card