cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1935
Views
0
Helpful
10
Replies

Fairly new to cisco ASA 5505 - Can someone look through my config?

osolbakken
Level 1
Level 1

Hi.

Can some one tell me if I did the NAT part right? Both dynamic and static.

To be able to reach one vlan from another I created a Nat between them, is this the right way to do it?

I can still limit the access between the vlans based on the access list.

I also getting slow throughput over the VPN tunnel. Is there something wrong with my config. I used the wizard to set it up. There is also a cisco asa5505 on the other end.

If there is some thing else that seems wrong, please let me know.

Any help would be greatfully appreciated!

Config:

: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password x encrypted

names

name 192.168.1.250 DomeneServer

name 192.168.1.10 NotesServer

name 192.168.1.90 OvServer

name 192.168.1.97 TerminalServer

name 192.168.1.98 w8-eyeshare

name 192.168.50.10 w8-print

name 192.168.1.94 w8-app

name 192.168.1.89 FonnaFlyMedia

!

interface Vlan1

nameif Vlan1

security-level 100

ip address 192.168.200.100 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address 79.x.x.226 255.255.255.224

ospf cost 10

!

interface Vlan400

nameif vlan400

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan450

nameif Vlan450

security-level 100

ip address 192.168.210.1 255.255.255.0

ospf cost 10

!

interface Vlan460

nameif Vlan460-SuldalHotell

security-level 100

ip address 192.168.2.1 255.255.255.0

ospf cost 10

!

interface Vlan461

nameif Vlan461-SuldalHotellGjest

security-level 100

ip address 192.168.3.1 255.255.255.0

ospf cost 10

!

interface Vlan462

nameif Vlan462-Suldalsposten

security-level 100

ip address 192.168.4.1 255.255.255.0

ospf cost 10

!

interface Vlan470

nameif vlan470-Kyrkjekontoret

security-level 100

ip address 192.168.202.1 255.255.255.0

ospf cost 10

!

interface Vlan480

nameif vlan480-Telefoni

security-level 100

ip address 192.168.20.1 255.255.255.0

ospf cost 10

!

interface Vlan490

nameif Vlan490-QNapBackup

security-level 100

ip address 192.168.10.1 255.255.255.0

ospf cost 10

!

interface Vlan500

nameif Vlan500-HellandBadlands

security-level 100

ip address 192.168.30.1 255.255.255.0

ospf cost 10

!

interface Vlan510

nameif Vlan510-IsTak

security-level 100

ip address 192.168.40.1 255.255.255.0

ospf cost 10

!

interface Vlan600

nameif Vlan600-SafeQ

security-level 100

ip address 192.168.50.1 255.255.255.0

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 500

switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610

switchport mode trunk

!

interface Ethernet0/3

switchport access vlan 490

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd x encrypted

ftp mode passive

clock timezone WAT 1

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service Lotus_Notes_Utgaaande tcp

description Frim Notes og ut til alle

port-object eq domain

port-object eq ftp

port-object eq www

port-object eq https

port-object eq lotusnotes

port-object eq pop3

port-object eq pptp

port-object eq smtp

object-group service Lotus_Notes_inn tcp

description From alle og inn til Notes

port-object eq www

port-object eq lotusnotes

port-object eq pop3

port-object eq smtp

object-group service Reisebyraa tcp-udp

port-object range 3702 3702

port-object range 5500 5500

port-object range 9876 9876

object-group service Remote_Desktop tcp-udp

description Tilgang til Remote Desktop

port-object range 3389 3389

object-group service Sand_Servicenter_50000 tcp-udp

description Program tilgang til Sand Servicenter AS

port-object range 50000 50000

object-group service VNC_Remote_Admin tcp

description Frå oss til alle

port-object range 5900 5900

object-group service Printer_Accept tcp-udp

port-object range 9100 9100

port-object eq echo

object-group icmp-type Echo_Ping

icmp-object echo

icmp-object echo-reply

object-group service Print tcp

port-object range 9100 9100

object-group service FTP_NADA tcp

description Suldalsposten NADA tilgang

port-object eq ftp

port-object eq ftp-data

object-group service Telefonsentral tcp

description Hoftun

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

port-object eq telnet

object-group service Printer_inn_800 tcp

description Fra 800  nettet og inn til 400 port 7777

port-object range 7777 7777

object-group service Suldalsposten tcp

description Sending av mail vha Mac Mail programmet - åpner smtp

port-object eq pop3

port-object eq smtp

object-group service http2 tcp

port-object range 81 81

object-group service DMZ_FTP_PASSIVE tcp-udp

port-object range 55536 56559

object-group service DMZ_FTP tcp-udp

port-object range 20 21

object-group service DMZ_HTTPS tcp-udp

port-object range 443 443

object-group service DMZ_HTTP tcp-udp

port-object range 8080 8080

object-group service DNS_Query tcp

port-object range domain domain

object-group service DUETT_SQL_PORT tcp-udp

description For kobling mellom andre nett og duett server

port-object range 54659 54659

access-list outside_access_in extended permit ip any any

access-list outside_access_out extended permit ip any any

access-list vlan400_access_in extended deny ip any host 149.20.56.34

access-list vlan400_access_in extended deny ip any host 149.20.56.32

access-list vlan400_access_in extended permit ip any any

access-list Vlan450_access_in extended deny ip any host 149.20.56.34

access-list Vlan450_access_in extended deny ip any host 149.20.56.32

access-list Vlan450_access_in extended permit ip any any

access-list Vlan460_access_in extended deny ip any host 149.20.56.34

access-list Vlan460_access_in extended deny ip any host 149.20.56.32

access-list Vlan460_access_in extended permit ip any any

access-list vlan400_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande

access-list vlan400_access_out extended permit tcp any host DomeneServer object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host TerminalServer object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host OvServer object-group http2

access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_inn

access-list vlan400_access_out extended permit tcp any host NotesServer object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host w8-eyeshare object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host w8-app object-group Remote_Desktop

access-list vlan400_access_out extended permit tcp any host FonnaFlyMedia range 8400 8600

access-list vlan400_access_out extended permit udp any host FonnaFlyMedia range 9000 9001

access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host DomeneServer

access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host w8-app object-group DUETT_SQL_PORT

access-list Vlan500_access_in extended deny ip any host 149.20.56.34

access-list Vlan500_access_in extended deny ip any host 149.20.56.32

access-list Vlan500_access_in extended permit ip any any

access-list vlan470_access_in extended deny ip any host 149.20.56.34

access-list vlan470_access_in extended deny ip any host 149.20.56.32

access-list vlan470_access_in extended permit ip any any

access-list Vlan490_access_in extended deny ip any host 149.20.56.34

access-list Vlan490_access_in extended deny ip any host 149.20.56.32

access-list Vlan490_access_in extended permit ip any any

access-list Vlan450_access_out extended permit icmp any any object-group Echo_Ping

access-list Vlan1_access_out extended permit ip any any

access-list Vlan1_access_out extended permit tcp any host w8-print object-group Remote_Desktop

access-list Vlan1_access_out extended deny ip any any

access-list Vlan1_access_out extended permit icmp any any echo-reply

access-list Vlan460_access_out extended permit icmp any any object-group Echo_Ping

access-list Vlan490_access_out extended permit icmp any any object-group Echo_Ping

access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP

access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE

access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTPS

access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTP

access-list Vlan500_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan470_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan470_access_out extended permit tcp any host 192.168.202.10 object-group Remote_Desktop

access-list Vlan510_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan480_access_out extended permit ip any any

access-list Vlan510_access_in extended permit ip any any

access-list Vlan600_access_in extended permit ip any any

access-list Vlan600_access_out extended permit icmp any any

access-list Vlan600_access_out extended permit tcp any host w8-print object-group Remote_Desktop

access-list Vlan600_access_out extended permit tcp 192.168.1.0 255.255.255.0 host w8-print eq www

access-list Vlan600_access_out extended permit tcp 192.168.202.0 255.255.255.0 host w8-print eq www

access-list Vlan600_access_out extended permit tcp 192.168.210.0 255.255.255.0 host w8-print eq www

access-list Vlan600_access_in_1 extended permit ip any any

access-list Vlan461_access_in extended permit ip any any

access-list Vlan461_access_out extended permit icmp any any object-group Echo_Ping

access-list vlan400_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list outside_20_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list Vlan462-Suldalsposten_access_in extended permit ip any any

access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo-reply

access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo-reply

access-list Vlan462-Suldalsposten_access_in_1 extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu Vlan1 1500

mtu outside 1500

mtu vlan400 1500

mtu Vlan450 1500

mtu Vlan460-SuldalHotell 1500

mtu Vlan461-SuldalHotellGjest 1500

mtu vlan470-Kyrkjekontoret 1500

mtu vlan480-Telefoni 1500

mtu Vlan490-QNapBackup 1500

mtu Vlan500-HellandBadlands 1500

mtu Vlan510-IsTak 1500

mtu Vlan600-SafeQ 1500

mtu Vlan462-Suldalsposten 1500

no failover

monitor-interface Vlan1

monitor-interface outside

monitor-interface vlan400

monitor-interface Vlan450

monitor-interface Vlan460-SuldalHotell

monitor-interface Vlan461-SuldalHotellGjest

monitor-interface vlan470-Kyrkjekontoret

monitor-interface vlan480-Telefoni

monitor-interface Vlan490-QNapBackup

monitor-interface Vlan500-HellandBadlands

monitor-interface Vlan510-IsTak

monitor-interface Vlan600-SafeQ

monitor-interface Vlan462-Suldalsposten

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (vlan400) 0 access-list vlan400_nat0_outbound

nat (vlan400) 1 0.0.0.0 0.0.0.0 dns

nat (Vlan450) 1 0.0.0.0 0.0.0.0 dns

nat (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0

nat (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0

nat (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0

nat (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns

nat (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0

nat (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0

nat (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0

nat (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0

static (vlan400,outside) 79.x.x.x DomeneServer netmask 255.255.255.255

static (vlan470-Kyrkjekontoret,outside) 79.x.x.x 192.168.202.10 netmask 255.255.255.255

static (vlan400,outside) 79.x.x.x NotesServer netmask 255.255.255.255 dns

static (vlan400,outside) 79.x.x.231 TerminalServer netmask 255.255.255.255

static (vlan400,outside) 79.x.x.234 OvServer netmask 255.255.255.255

static (vlan400,outside) 79.x.x.232 w8-eyeshare netmask 255.255.255.255

static (Vlan490-QNapBackup,outside) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns

static (Vlan600-SafeQ,outside) 79.x.x.235 w8-print netmask 255.255.255.255

static (vlan400,outside) 79.x.x.236 w8-app netmask 255.255.255.255

static (Vlan450,vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

static (Vlan500-HellandBadlands,vlan400) 192.168.30.0 192.168.30.0 netmask 255.255.255.0

static (vlan400,Vlan500-HellandBadlands) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400,Vlan450) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400,outside) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255

static (Vlan462-Suldalsposten,vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (vlan400,Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400,Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (Vlan600-SafeQ,vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan600-SafeQ,Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan600-SafeQ,vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan450,Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

static (vlan470-Kyrkjekontoret,Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0

access-group Vlan1_access_out out interface Vlan1

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group vlan400_access_in in interface vlan400

access-group vlan400_access_out out interface vlan400

access-group Vlan450_access_in in interface Vlan450

access-group Vlan450_access_out out interface Vlan450

access-group Vlan460_access_in in interface Vlan460-SuldalHotell

access-group Vlan460_access_out out interface Vlan460-SuldalHotell

access-group Vlan461_access_in in interface Vlan461-SuldalHotellGjest

access-group Vlan461_access_out out interface Vlan461-SuldalHotellGjest

access-group vlan470_access_in in interface vlan470-Kyrkjekontoret

access-group vlan470_access_out out interface vlan470-Kyrkjekontoret

access-group vlan480_access_out out interface vlan480-Telefoni

access-group Vlan490_access_in in interface Vlan490-QNapBackup

access-group Vlan490_access_out out interface Vlan490-QNapBackup

access-group Vlan500_access_in in interface Vlan500-HellandBadlands

access-group Vlan500_access_out out interface Vlan500-HellandBadlands

access-group Vlan510_access_in in interface Vlan510-IsTak

access-group Vlan510_access_out out interface Vlan510-IsTak

access-group Vlan600_access_in_1 in interface Vlan600-SafeQ

access-group Vlan600_access_out out interface Vlan600-SafeQ

access-group Vlan462-Suldalsposten_access_in_1 in interface Vlan462-Suldalsposten

access-group Vlan462-Suldalsposten_access_out_1 out interface Vlan462-Suldalsposten

route outside 0.0.0.0 0.0.0.0 79.x.x.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username x password x encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 192.168.210.0 255.255.255.0 Vlan450

http 192.168.200.0 255.255.255.0 Vlan1

http 192.168.1.0 255.255.255.0 vlan400

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap_1

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 62.92.159.137

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp enable vlan400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 62.92.159.137 type ipsec-l2l

tunnel-group 62.92.159.137 ipsec-attributes

pre-shared-key *

telnet 192.168.200.0 255.255.255.0 Vlan1

telnet 192.168.1.0 255.255.255.0 vlan400

telnet timeout 5

ssh 171.68.225.216 255.255.255.255 outside

ssh timeout 5

console timeout 0

dhcpd update dns both

!

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1

!

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface outside

!

dhcpd address 192.168.1.100-192.168.1.225 vlan400

dhcpd option 6 ip DomeneServer 81.167.36.11 interface vlan400

dhcpd option 3 ip 192.168.1.1 interface vlan400

dhcpd enable vlan400

!

dhcpd address 192.168.210.100-192.168.210.200 Vlan450

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450

dhcpd option 3 ip 192.168.210.1 interface Vlan450

dhcpd enable Vlan450

!

dhcpd address 192.168.2.100-192.168.2.150 Vlan460-SuldalHotell

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell

dhcpd option 3 ip 192.168.2.1 interface Vlan460-SuldalHotell

dhcpd enable Vlan460-SuldalHotell

!

dhcpd address 192.168.3.100-192.168.3.200 Vlan461-SuldalHotellGjest

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest

dhcpd option 3 ip 192.168.3.1 interface Vlan461-SuldalHotellGjest

dhcpd enable Vlan461-SuldalHotellGjest

!

dhcpd address 192.168.202.100-192.168.202.199 vlan470-Kyrkjekontoret

dhcpd option 3 ip 192.168.202.1 interface vlan470-Kyrkjekontoret

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret

dhcpd enable vlan470-Kyrkjekontoret

!

dhcpd option 3 ip 192.168.20.1 interface vlan480-Telefoni

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni

!

dhcpd address 192.168.10.80-192.168.10.90 Vlan490-QNapBackup

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup

dhcpd option 3 ip 192.168.10.1 interface Vlan490-QNapBackup

!

dhcpd address 192.168.30.100-192.168.30.199 Vlan500-HellandBadlands

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands

dhcpd option 3 ip 192.168.30.1 interface Vlan500-HellandBadlands

dhcpd enable Vlan500-HellandBadlands

!

dhcpd address 192.168.40.100-192.168.40.150 Vlan510-IsTak

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak

dhcpd option 3 ip 192.168.40.1 interface Vlan510-IsTak

dhcpd enable Vlan510-IsTak

!

dhcpd address 192.168.50.150-192.168.50.199 Vlan600-SafeQ

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ

dhcpd enable Vlan600-SafeQ

!

dhcpd address 192.168.4.100-192.168.4.150 Vlan462-Suldalsposten

dhcpd option 6 ip DomeneServer 81.167.36.11 interface Vlan462-Suldalsposten

dhcpd option 3 ip 192.168.4.1 interface Vlan462-Suldalsposten

dhcpd enable Vlan462-Suldalsposten

!

!

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

!

prompt hostname context

Cryptochecksum:x

: end

6 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

On a first glance the NAT configuration seems ok. Is there a problem with the traffic between the local Vlans that you would need help with?

The best tool to use for solving those is the "packet-tracer" command. If there are problems with traffic between local networks I would want the related "packet-tracer" outputs

packet-tracer input

This should tell us of possible problems related to ASA configuration.

With regards to the poor throughput I would first check the interfaces for any problems with the "show interface" command.

I would also consider the fact that you have several Vlans which gateway is on the ASA so traffic between these local networks goes through the ASA and possibly effects all throughput through the ASA depending on what connections (file transfer etc) are used between these Vlans. The ASA5505 is only specced for 150Mbps throughput.

- Jouni

View solution in original post

Hi,

With regards to the error messages, I cant see a Static Identity NAT configuration for those Vlan460 and Vlan490 interfaces like you have for the others. You should probably add one for them also.

Can you take the following "packet-tracer"

packet-tracer input Vlan460-SuldalHotell 192.168.2.112 59133 192.168.10.200 161

And share the output with us

It might end at some NAT Phase that fails.

Your physical interfaces Eth0 and Eth2 seems to have error in them. Perhaps there is some problems with your actual physical ports on the connected devices? I am not sure what the ignored counter refers to. Seems to be identical to the total error counters and the CRC error.

- Jouni

View solution in original post

Hi,

Ok, if you dont want to allow traffic between these interfaces then you dont need to add anything.

The log message does indicate that the host 192.168.2.112 on Vlan460 is trying to connect to the host 192.168.10.200 using SNMP (if I remember the port number correctly) and its dropped because of a missing NAT configuration.

So that host is trying to form the connection, not the ASA.

I dont see any other "route" configurations on the ASA other than the default route. And you dont really need any "route" configurations for the traffic between the different LAN networks on the ASA as the ASA can see them as directly connected..

The duplex setting seem fine to me on the ASA outputs that you shared. They all list 100/Full. I would check the connected device for any problems. You can naturally switch some ports around if you want to test if there is any change in the situation.

- Jouni

View solution in original post

In addition to the above,

I would suggest that you look into your ACL configurations. There is no real need to have both "in" and "out" direction ACL on each interface. It would be simple and logical if you only had "in" direction ACLs on the interfaces.

The "in" direction Inbound ACL essentially controls the traffie entering from the LAN network behind that interfaces towards networks behind any other interface of the ASA so there is no real need in your situation to do "out" direction ACL traffic control on the other interfaces as the traffic is already controlled in the closest interface for that LAN network.

- Jouni

View solution in original post

Hi,

Yeah, it would use the outbound ACL if you have configured one and attached it to the interface. If you are coming directly through Internet then typically the only ACL that should control that traffic would be the one attached to "outside" interface. If you have an "out" ACL attached on the local Vlans interface also then I think the remote connection will be matched against 2 interface ACLs rather than one.

If you are connecting through a VPN Connection then the default behaviour would actually be that the traffic through VPN would bypass the ACL on the interface "outside". I think it would still be possibly matched against the destination interfaces "out" direction ACL.

Regarding the cabling, either of the cable types should do because the ports should detect which type is used.

- Jouni

View solution in original post

Hi,

Glad if it helped

Please do remember to mark a reply as the correct answer if some reply answered your question.

Feel free to ask more if needed though

- Jouni

View solution in original post

10 Replies 10

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

On a first glance the NAT configuration seems ok. Is there a problem with the traffic between the local Vlans that you would need help with?

The best tool to use for solving those is the "packet-tracer" command. If there are problems with traffic between local networks I would want the related "packet-tracer" outputs

packet-tracer input

This should tell us of possible problems related to ASA configuration.

With regards to the poor throughput I would first check the interfaces for any problems with the "show interface" command.

I would also consider the fact that you have several Vlans which gateway is on the ASA so traffic between these local networks goes through the ASA and possibly effects all throughput through the ASA depending on what connections (file transfer etc) are used between these Vlans. The ASA5505 is only specced for 150Mbps throughput.

- Jouni

I was just wondering if this is the way to do the "connection" between vlans.. or should it be routed?

The traffic between the vlan is working as intended. There are not much traffice only some RDP connection and some printing jobs.

But i'm getting some of these errors: (not alle like this, but portmap translation creation failed)

305006    192.168.10.200 portmap translation creation failed for udp src Vlan460-SuldalHotell:192.168.2.112/59133 dst Vlan490-QNapBackup:192.168.10.200/161

I did the sh interface commends:

Result of the command: "sh interface"

Interface Vlan1 "Vlan1", is down, line protocol is down

  Hardware is EtherSVI

    MAC address 001d.453a.ea0e, MTU 1500

    IP address 192.168.200.100, subnet mask 255.255.255.0

  Traffic Statistics for "Vlan1":

    0 packets input, 0 bytes

    0 packets output, 0 bytes

    0 packets dropped

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Vlan2 "outside", is up, line protocol is up

  Hardware is EtherSVI

    MAC address 001d.453a.ea0e, MTU 1500

    IP address 79.x.x.226, subnet mask 255.255.255.224

  Traffic Statistics for "outside":

    1780706730 packets input, 1221625431570 bytes

    1878320718 packets output, 1743030863134 bytes

    5742216 packets dropped

      1 minute input rate 558 pkts/sec,  217568 bytes/sec

      1 minute output rate 803 pkts/sec,  879715 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 621 pkts/sec,  482284 bytes/sec

      5 minute output rate 599 pkts/sec,  428957 bytes/sec

      5 minute drop rate, 1 pkts/sec

Interface Vlan400 "vlan400", is up, line protocol is up

  Hardware is EtherSVI

    MAC address 001d.453a.ea0e, MTU 1500

    IP address 192.168.1.1, subnet mask 255.255.255.0

  Traffic Statistics for "vlan400":

    1093422654 packets input, 1191121436317 bytes

    784209789 packets output, 374041914789 bytes

    11465163 packets dropped

      1 minute input rate 751 pkts/sec,  870445 bytes/sec

      1 minute output rate 462 pkts/sec,  116541 bytes/sec

      1 minute drop rate, 11 pkts/sec

      5 minute input rate 474 pkts/sec,  415304 bytes/sec

      5 minute output rate 379 pkts/sec,  197861 bytes/sec

      5 minute drop rate, 7 pkts/sec

Interface Vlan450 "Vlan450", is up, line protocol is up

  Hardware is EtherSVI

    MAC address 001d.453a.ea0e, MTU 1500

    IP address 192.168.210.1, subnet mask 255.255.255.0

  Traffic Statistics for "Vlan450":

    139711812 packets input, 27519985266 bytes

    202793062 packets output, 233679075458 bytes

    12523100 packets dropped

      1 minute input rate 68 pkts/sec,  9050 bytes/sec

      1 minute output rate 83 pkts/sec,  88025 bytes/sec

      1 minute drop rate, 6 pkts/sec

      5 minute input rate 145 pkts/sec,  15068 bytes/sec

      5 minute output rate 241 pkts/sec,  287093 bytes/sec

      5 minute drop rate, 6 pkts/sec

Interface Vlan460 "Vlan460-SuldalHotell", is up, line protocol is up

  Hardware is EtherSVI

    MAC address 001d.453a.ea0e, MTU 1500

    IP address 192.168.2.1, subnet mask 255.255.255.0

  Traffic Statistics for "Vlan460-SuldalHotell":

    177971988 packets input, 161663208458 bytes

    193137004 packets output, 137418896469 bytes

    4003957 packets dropped

      1 minute input rate 13 pkts/sec,  2295 bytes/sec

      1 minute output rate 14 pkts/sec,  15317 bytes/sec

      1 minute drop rate, 2 pkts/sec

      5 minute input rate 4 pkts/sec,  794 bytes/sec

      5 minute output rate 1 pkts/sec,  477 bytes/sec

      5 minute drop rate, 2 pkts/sec

Interface Vlan461 "Vlan461-SuldalHotellGjest", is up, line protocol is up

  Hardware is EtherSVI

    MAC address 001d.453a.ea0e, MTU 1500

    IP address 192.168.3.1, subnet mask 255.255.255.0

  Traffic Statistics for "Vlan461-SuldalHotellGjest":

    332909692 packets input, 351853184942 bytes

    312038518 packets output, 156669956740 bytes

    583171 packets dropped

      1 minute input rate 0 pkts/sec,  6 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  6 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Vlan462 "Vlan462-Suldalsposten", is up, line protocol is up

  Hardware is EtherSVI

    MAC address 001d.453a.ea0e, MTU 1500

    IP address 192.168.4.1, subnet mask 255.255.255.0

  Traffic Statistics for "Vlan462-Suldalsposten":

    33905 packets input, 14303320 bytes

    28285 packets output, 27536357 bytes

    10199 packets dropped

      1 minute input rate 0 pkts/sec,  6 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  6 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Vlan470 "vlan470-Kyrkjekontoret", is up, line protocol is up

  Hardware is EtherSVI

    MAC address 001d.453a.ea0e, MTU 1500

    IP address 192.168.202.1, subnet mask 255.255.255.0

  Traffic Statistics for "vlan470-Kyrkjekontoret":

    12176257 packets input, 4305665570 bytes

    10618750 packets output, 5982598969 bytes

    974796 packets dropped

      1 minute input rate 2 pkts/sec,  770 bytes/sec

      1 minute output rate 1 pkts/sec,  861 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 2 pkts/sec,  708 bytes/sec

      5 minute output rate 1 pkts/sec,  980 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Vlan480 "vlan480-Telefoni", is up, line protocol is up

  Hardware is EtherSVI

    MAC address 001d.453a.ea0e, MTU 1500

    IP address 192.168.20.1, subnet mask 255.255.255.0

  Traffic Statistics for "vlan480-Telefoni":

    246638 packets input, 43543149 bytes

    10 packets output, 536 bytes

    226674 packets dropped

      1 minute input rate 0 pkts/sec,  126 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  56 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Vlan490 "Vlan490-QNapBackup", is up, line protocol is up

  Hardware is EtherSVI

    MAC address 001d.453a.ea0e, MTU 1500

    IP address 192.168.10.1, subnet mask 255.255.255.0

  Traffic Statistics for "Vlan490-QNapBackup":

    137317833 packets input, 6066713912 bytes

    223933623 packets output, 263191563744 bytes

    531738 packets dropped

      1 minute input rate 0 pkts/sec,  135 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  68 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Vlan500 "Vlan500-HellandBadlands", is up, line protocol is up

  Hardware is EtherSVI

    MAC address 001d.453a.ea0e, MTU 1500

    IP address 192.168.30.1, subnet mask 255.255.255.0

  Traffic Statistics for "Vlan500-HellandBadlands":

    30816778 packets input, 4887486069 bytes

    42403099 packets output, 47831750415 bytes

    948717 packets dropped

      1 minute input rate 3 pkts/sec,  707 bytes/sec

      1 minute output rate 3 pkts/sec,  3459 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  23 bytes/sec

      5 minute output rate 0 pkts/sec,  31 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Vlan510 "Vlan510-IsTak", is up, line protocol is up

  Hardware is EtherSVI

    MAC address 001d.453a.ea0e, MTU 1500

    IP address 192.168.40.1, subnet mask 255.255.255.0

  Traffic Statistics for "Vlan510-IsTak":

    1253148 packets input, 245364736 bytes

    1225385 packets output, 525528101 bytes

    161567 packets dropped

      1 minute input rate 0 pkts/sec,  6 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  6 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Vlan600 "Vlan600-SafeQ", is up, line protocol is up

  Hardware is EtherSVI

    MAC address 001d.453a.ea0e, MTU 1500

    IP address 192.168.50.1, subnet mask 255.255.255.0

  Traffic Statistics for "Vlan600-SafeQ":

    1875377 packets input, 1267279709 bytes

    1056139 packets output, 290728055 bytes

    521943 packets dropped

      1 minute input rate 0 pkts/sec,  165 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  178 bytes/sec

      5 minute output rate 0 pkts/sec,  9 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Ethernet0/0 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps

    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

    Available but not configured via nameif

    MAC address 001d.453a.ea06, MTU not set

    IP address unassigned

    1782670655 packets input, 1256666911856 bytes, 0 no buffer

    Received 95709 broadcasts, 0 runts, 0 giants

    1978 input errors, 1978 CRC, 0 frame, 0 overrun, 1978 ignored, 0 abort

    0 L2 decode drops

    17179928790 switch ingress policy drops

    1878320261 packets output, 1778955488577 bytes, 0 underruns

    0 output errors, 0 collisions, 0 interface resets

    0 babbles, 0 late collisions, 0 deferred

    0 lost carrier, 0 no carrier

    0 rate limit drops

    0 switch egress policy drops

Interface Ethernet0/2 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps

    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

    Available but not configured via nameif

    MAC address 001d.453a.ea08, MTU not set

    IP address unassigned

    1790819459 packets input, 1783854920873 bytes, 0 no buffer

    Received 27571913 broadcasts, 0 runts, 0 giants

    614 input errors, 614 CRC, 0 frame, 0 overrun, 614 ignored, 0 abort

    0 L2 decode drops

    19768 switch ingress policy drops

    1547507675 packets output, 991527977853 bytes, 0 underruns

    0 output errors, 0 collisions, 0 interface resets

    0 babbles, 0 late collisions, 0 deferred

    0 lost carrier, 0 no carrier

    0 rate limit drops

    0 switch egress policy drops

Interface Ethernet0/3 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps

    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

    Available but not configured via nameif

    MAC address 001d.453a.ea09, MTU not set

    IP address unassigned

    137318166 packets input, 9176625008 bytes, 0 no buffer

    Received 290030 broadcasts, 0 runts, 0 giants

    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

    0 L2 decode drops

    335 switch ingress policy drops

    223933623 packets output, 267222625073 bytes, 0 underruns

    0 output errors, 0 collisions, 0 interface resets

    0 babbles, 0 late collisions, 0 deferred

    0 lost carrier, 0 no carrier

    0 rate limit drops

    0 switch egress policy drops

Hi,

With regards to the error messages, I cant see a Static Identity NAT configuration for those Vlan460 and Vlan490 interfaces like you have for the others. You should probably add one for them also.

Can you take the following "packet-tracer"

packet-tracer input Vlan460-SuldalHotell 192.168.2.112 59133 192.168.10.200 161

And share the output with us

It might end at some NAT Phase that fails.

Your physical interfaces Eth0 and Eth2 seems to have error in them. Perhaps there is some problems with your actual physical ports on the connected devices? I am not sure what the ignored counter refers to. Seems to be identical to the total error counters and the CRC error.

- Jouni

I don't want to enable traffice between all vlans. Therefor there is no static route on all vlans, just some.

I was wondering why the cisco is trying to establish connection between two vlans that has no nat between them.

Did the packet-tracer in ADSM:

NAT: Action: Droped

Config
nat (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0
match ip                  Vlan460-SuldalHotell any Vlan490-QNapBackup any
dynamic                  translation to pool 1 (No matching global)
translate_hits =                  1291, untranslate_hits = 0

This seems ok for me. Since I don't want traffic between those two vlans. But why is this showing up in the error log. Trying to establish connection?

It might be some error on the devices, but I'm pretty sure that they are ok. Could it be Duplex/Speed setting?

Hi,

Ok, if you dont want to allow traffic between these interfaces then you dont need to add anything.

The log message does indicate that the host 192.168.2.112 on Vlan460 is trying to connect to the host 192.168.10.200 using SNMP (if I remember the port number correctly) and its dropped because of a missing NAT configuration.

So that host is trying to form the connection, not the ASA.

I dont see any other "route" configurations on the ASA other than the default route. And you dont really need any "route" configurations for the traffic between the different LAN networks on the ASA as the ASA can see them as directly connected..

The duplex setting seem fine to me on the ASA outputs that you shared. They all list 100/Full. I would check the connected device for any problems. You can naturally switch some ports around if you want to test if there is any change in the situation.

- Jouni

In addition to the above,

I would suggest that you look into your ACL configurations. There is no real need to have both "in" and "out" direction ACL on each interface. It would be simple and logical if you only had "in" direction ACLs on the interfaces.

The "in" direction Inbound ACL essentially controls the traffie entering from the LAN network behind that interfaces towards networks behind any other interface of the ASA so there is no real need in your situation to do "out" direction ACL traffic control on the other interfaces as the traffic is already controlled in the closest interface for that LAN network.

- Jouni

Ok.

Some one here told me to use crossed network cables instead of straight. But then nothing should work if that was the problem?

But when i configured the asa. I put all my ACL on in, and could not connect. Then I moved them over to outgoing and it worked. So when I'm at home doing RDP to one of my server it actually uses the out ACL. Strange?

Hi,

Yeah, it would use the outbound ACL if you have configured one and attached it to the interface. If you are coming directly through Internet then typically the only ACL that should control that traffic would be the one attached to "outside" interface. If you have an "out" ACL attached on the local Vlans interface also then I think the remote connection will be matched against 2 interface ACLs rather than one.

If you are connecting through a VPN Connection then the default behaviour would actually be that the traffic through VPN would bypass the ACL on the interface "outside". I think it would still be possibly matched against the destination interfaces "out" direction ACL.

Regarding the cabling, either of the cable types should do because the ports should detect which type is used.

- Jouni

Thanks for all your help!

--

Orjan Solbakken

Hi,

Glad if it helped

Please do remember to mark a reply as the correct answer if some reply answered your question.

Feel free to ask more if needed though

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: