Solved: Re: Inter interface communications not working on asa 5510 v 8.2 - Page 3

GEOFFREY BARKER · ‎08-21-2012

Howdy,

ASA / Cisco Novice here:

I have an ASA 5510 attached to 2 internal networks. Everything is working except communications between the 2 internal interfaces.

I can ping the FW from either interface and I can ping hosts on both networks from the CLI but can't get any traffic to pass.

I'd like to open the connection to all traffic.

A picture being worth a thousand words, below is the physical network and a cleaned config (Note that I have highlighted the commands that I think should make this work).

Can anyone see what I'm missing?

Regards,

Geoffrey

hostname CiscoASA

domain-name domain.org

enable password c7Ik4QWNoVuUmbYX encrypted

passwd c7Ik4QWNoVuUmbYX encrypted

names

name x.x.x.x Server2-Outside

name x.x.x.x Konica-Outside

name x.x.x.x Sharepoint-Outside

name 192.168.100.15 Konica-Inside

name 192.168.100.2 Server2-Inside

name 192.168.100.5 Sharepoint-Inside

name 192.168.1.0 Highline-inside

!

interface Ethernet0/0

speed 100

duplex full

nameif Outside

security-level 0

pppoe client vpdn group xxx

ip address x.x.x.x 255.255.255.255 pppoe setroute

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Ethernet0/2

nameif Highline

security-level 100

ip address 192.168.1.3 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.11.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name domain.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP tcp

port-object eq 3389

object-group service Sharepoint-SSL tcp

port-object eq 444

object-group service Zone3-17365 tcp

port-object eq 17365

object-group service Konica-printing tcp

port-object eq 9100

access-list Outside_access_in extended permit tcp any host Server2-Outside eq 3389

access-list Outside_access_in extended permit tcp any host Server2-Outside eq smtp

access-list Outside_access_in extended permit tcp any host Server2-Outside eq ftp

access-list Outside_access_in extended permit tcp any host Server2-Outside eq www

access-list Outside_access_in extended permit tcp any host Server2-Outside eq https

access-list Outside_access_in extended permit tcp any host Server2-Outside eq pptp

access-list Outside_access_in extended permit gre any host Server2-Outside

access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq www

access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq https

access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Zone3-17365

access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Sharepoint-SSL

access-list Outside_access_in extended permit tcp any host Konica-Outside object-group Konica-printing

access-list dispatch_nat0 extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0

access-list dispatch_cryptomap extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0

access-list Inside_nat_outbound extended permit ip 192.168.100.0 255.255.255.0 172.29.12.0 255.255.255.0

access-list Inside_nat_static extended permit ip host Server2-Inside any

access-list Inside_nat_static_1 extended permit ip host Server2-Inside host 172.29.12.5

access-list Inside_nat_static_2 extended permit ip host 192.168.100.12 host 172.29.12.1

access-list Highline_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu Highline 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (Outside) 2 10.99.12.10-10.99.12.254 netmask 255.255.255.0

global (Outside) 1 interface

global (Outside) 3 Server2-Outside netmask 255.255.255.255

nat (Inside) 2 access-list Inside_nat_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (Highline) 1 0.0.0.0 0.0.0.0

static (Inside,Outside) Sharepoint-Outside Sharepoint-Inside netmask 255.255.255.255

static (Inside,Outside) Konica-Outside Konica-Inside netmask 255.255.255.255

static (Inside,Outside) 10.99.12.5 access-list Inside_nat_static_1

static (Inside,Outside) Server2-Outside access-list Inside_nat_static

static (Inside,Outside) 10.99.12.1 access-list Inside_nat_static_2

static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0

access-group Outside_access_in in interface Outside

access-group Highline_access_in in interface Highline

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.100.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TEST esp-aes-256 esp-sha-hmac

crypto ipsec transform-set dispatch esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map dispatch_map 1 match address dispatch_nat0

crypto map dispatch _map 1 set pfs group5

crypto map dispatch _map 1 set peer 146.129.253.3

crypto map dispatch _map 1 set transform-set dispatch

crypto map dispatch _map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

telnet 192.168.100.0 255.255.255.0 Inside

telnet 192.168.11.0 255.255.255.0 management

telnet timeout 30

ssh timeout 5

console timeout 0

vpdn group blah request dialout pppoe

vpdn group blah localname blah

vpdn group blah ppp authentication pap

vpdn username blahblahblah password ***** store-local

dhcpd address 192.168.11.2-192.168.11.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password ra.2Iw6nrBEaHn0M encrypted

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:36468a70e58b3026ab250dfba96c4ba9

: end

GEOFFREY BARKER · ‎08-22-2012

Thanks so much for your help on this Ramraj. This did work for me.

I wish I could rate some of Julio's posts as they were helpful in terms of confirming where exactly the problem lay.

You guys are both very helpful.

Cheers,

Geoffrey

Julio Carvajal · ‎08-22-2012

Hello Geoffrey,

I dont know what you mean by this as its possible to rate as many answers on a post as you like.

"I wish I could rate some of Julio's posts as they were helpful in terms of confirming where exactly the problem lay"

Now regarding the solution that my friend Ramraj provided you the Static Identity NAT should also works as it has a better priority than the regular Dynamic nat, so both of those options ( Nat exepmtion or Identity NAT) should work wheter you have 2 interfaces with the same security traffic or not.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

GEOFFREY BARKER · ‎08-22-2012

Sorry again Julio,

It was an interface thing (I don't post on the forums often).

I was trying to select stars at the top of the post... Oops.

I really appreciated your help on this..

Julio Carvajal · ‎08-22-2012

Hello Geoffrey,

Sure not a problem It is a pleasure to help.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Inter interface communications not working on asa 5510 v 8.2.2