02-24-2016 05:38 AM - edited 03-12-2019 12:23 AM
Hello,
I am new in Cisco ASA Firewalls. Now I'm using Cisco ASA with IOS Version 8.2(4). Appliance is configured and properly working, but I need to make some configuration changes. I want to allow communication between VLANs: 80 (emp) and 101 (storage). To do that I have put following command to avoid translation between VLANs:
static (emp,storage) 10.1.8.0 10.1.8.0 netmask 255.255.255.0
but it doesn't work:
# packet-tracer input emp tcp 10.1.8.10 www 172.16.0.254 www
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.255.0 storage
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group emp_acl in interface emp
access-list emp_acl extended permit ip 10.1.8.0 255.255.255.0 any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (emp,storage) 10.1.8.0 10.1.8.0 netmask 255.255.255.0
match ip emp 10.1.8.0 255.255.255.0 storage any
static translation to 10.1.8.0
translate_hits = 131, untranslate_hits = 19
Additional Information:
Static translate 10.1.8.0/0 to 10.1.8.0/0 using netmask 255.255.255.0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (emp,BMS) 10.1.8.0 10.1.8.0 netmask 255.255.255.0
match ip emp 10.1.8.0 255.255.255.0 BMS any
static translation to 10.1.8.0
translate_hits = 3187127, untranslate_hits = 3209014
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (storage) 1 172.16.0.0 255.255.255.0
match ip storage 172.16.0.0 255.255.255.0 emp any
dynamic translation to pool 1 (No matching global)
translate_hits = 3, untranslate_hits = 0
Additional Information:
Result:
input-interface: emp
input-status: up
input-line-status: up
output-interface: storage
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
---
I am confused because communication between VLANs 100 and 101 occurs:
# packet-tracer input mgm tcp 10.1.10.200 www 172.16.0.254 www
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.255.0 storage
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group mgm_acl in interface mgm
access-list mgm_acl extended permit ip 10.1.10.0 255.255.255.0 any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (mgm,storage) 10.1.10.0 10.1.10.0 netmask 255.255.255.0
match ip mgm 10.1.10.0 255.255.255.0 storage any
static translation to 10.1.10.0
translate_hits = 2413235, untranslate_hits = 219750
Additional Information:
Static translate 10.1.10.0/0 to 10.1.10.0/0 using netmask 255.255.255.0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (mgm,DNS) 10.1.10.0 10.1.10.0 netmask 255.255.255.0
match ip mgm 10.1.10.0 255.255.255.0 DNS any
static translation to 10.1.10.0
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (storage,BMS) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
match ip storage 172.16.0.0 255.255.255.0 BMS any
static translation to 172.16.0.0
translate_hits = 66, untranslate_hits = 1138372
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 287955213, packet dispatched to next module
Result:
input-interface: mgm
input-status: up
input-line-status: up
output-interface: storage
output-status: up
output-line-status: up
Action: allow
---
Current config below:
!
interface GigabitEthernet0/1.80
vlan 80
nameif emp
security-level 90
ip address 10.1.8.1 255.255.255.0 standby 10.1.8.2
!
interface GigabitEthernet0/1.100
vlan 100
nameif mgm
security-level 100
ip address 10.1.10.1 255.255.255.0 standby 10.1.10.2
!
interface GigabitEthernet0/1.101
vlan 101
nameif storage
security-level 91
ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2
!
...
!
global (outside) 1 XX.YY.ZZ.238
global (outside) 2 XX.YY.ZZ.237
global (outside) 3 XX.YY.ZZ.236
global (outside) 4 XX.YY.ZZ.235
global (outside) 5 XX.YY.ZZ.100
global (outside) 6 XX.YY.ZZ.160
global (outside) 7 192.168.1.10
global (outside) 8 XX.YY.ZZ.112
nat (BMS) 0 access-list r-vpn
nat (BMS) 1 10.1.0.0 255.255.254.0
nat (blue) 5 10.1.2.0 255.255.255.0
nat (grey) 8 10.1.12.0 255.255.255.0
nat (parking) 3 10.44.9.0 255.255.255.0
nat (emp) 0 access-list r-vpn
nat (emp) 6 10.1.8.0 255.255.255.0
nat (mgm) 2 10.1.10.0 255.255.255.0
nat (storage) 1 172.16.0.0 255.255.255.0
!
...
!
static (mgm,storage) 10.1.10.0 10.1.10.0 netmask 255.255.255.0
static (emp,storage) 10.1.8.0 10.1.8.0 netmask 255.255.255.0
!
...
---
What should I do?
Modify: nat (storage) 1 172.16.0.0 255.255.255.0 or increase VLANs 80 security-level to 91?
02-25-2016 03:51 AM
I am assuming you have NAT control configure?
show run nat-control
I would suggest either disabling nat-control or adding a nat 0 statement for the storage interface.
Personally I would disable nat-control.
raising the security level will not have any effect in this situation. And if you have access-lists configured on the interfaces the security levels are not even used.
--
Please remember to select a correct answer and rate helpful posts
02-25-2016 03:56 AM
Hello Marius,
Thank you for the response.
The nat-control is disabled:
ASA-5520-1p2-CORE# show run nat-control
no nat-control
So the only way is to add nat 0 statement for the storage interface?
Why I don't have any problems with communication between mgm and storage?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide