Solved: Need fluid traffic between two same security level interfaces

Eduardo Guerra · ‎01-09-2014

Dear Sirs I am configuring an ASA5510 before implementing it on my network. I have 1 ISP for internet connected to Outside Interface, a DMZ Interfaces and 2 inside interfaces. One of these inside interfaces is Outside1 will be connected to a router that will have Fiber and Antenas for communicating with our small offices. I need fluid traffic between Inside an Outside1. I tried using some advices but still not working. Here's my configuration. Can you help me?

: Saved

:

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address X.X.X.X y.y.y.y

!

interface Ethernet0/1

nameif Outside1

security-level 100

ip address 192.168.2.2 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 10

ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit ip any any

access-list dmz_in extended permit icmp any any

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host x.x.x..163 eq smtp

access-list 100 extended permit udp any host x.x.x.163 eq domain

access-list 100 extended permit tcp any host x.x.x.163 eq https

access-list 100 extended permit tcp any host x.x.x.163 eq www

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.100.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (Inside,DMZ) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (DMZ,Outside) x.x.x.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

access-group 100 in interface Outside

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 x.x.x.161 1

route Outside1 172.1.1.0 255.255.255.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.100.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b5e4725e47eea02221510b282e9e5843

: end

Thanks in advanced

Eduardo Guerra

Collin Clark · ‎01-10-2014

Can you post the results of this command?

packet-tracer input inside tcp 192.168.100.5 9823 192.168.2.10 80 detail

and

packet-tracer input Outside1 tcp 192.168.2.10 9823 192.168.100.5 80 detail

View solution in original post

Collin Clark · ‎01-09-2014

So is there no communications from inside to outside1?

Eduardo Guerra · ‎01-10-2014

Yes, there is no communication. I tried pinging from a computer connected to Inside to computer connected to Outside1 and viceversa, also i tried to access shared resources from each computer with negative results

EG

prateeve · ‎01-10-2014

Hi,

Try to use the following command"

same-security-traffic permit inter-interface

- Prateek Verma

Collin Clark · ‎01-10-2014

Can you post the results of this command?

packet-tracer input inside tcp 192.168.100.5 9823 192.168.2.10 80 detail

and

packet-tracer input Outside1 tcp 192.168.2.10 9823 192.168.100.5 80 detail

Eduardo Guerra · ‎01-10-2014

Here are the results:

packet-tracer input inside tcp 192.168.100.5 9823 192.168.2.10 80 detail (Last 2 Phases)

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (Inside,DMZ) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

match ip Inside 192.168.100.0 255.255.255.0 DMZ any

static translation to 192.168.100.0

translate_hits = 0, untranslate_hits = 471

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab9355d0, priority=5, domain=host, deny=false

hits=1611, user_data=0xab934f90, cs_id=0x0, reverse, flags=0x0, protocol

=0

src ip=192.168.100.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: DROP

Config:

nat (Inside) 101 0.0.0.0 0.0.0.0

match ip Inside any Outside1 any

dynamic translation to pool 101 (No matching global)

translate_hits = 94, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab9309e8, priority=1, domain=nat, deny=false

hits=93, user_data=0xabeffa80, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside1

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

packet-tracer input Outside1 tcp 192.168.2.10 9823 192.168.100.5 80 detail (Last 2 Phases)

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab7f6198, priority=0, domain=permit-ip-option, deny=true

hits=776, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: DROP

Config:

nat (Outside1) 101 0.0.0.0 0.0.0.0

match ip Outside1 any Inside any

dynamic translation to pool 101 (No matching global)

translate_hits = 1, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac0c13f8, priority=1, domain=nat, deny=false

hits=0, user_data=0xac0c1338, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Outside1

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Also i added this command:

nat (Outside1) 101 0.0.0.0 0.0.0.0

EG

prateeve · ‎01-10-2014

Hi,

Try to put in following commands:

static (Inside,outside1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

- Prateek Verma

Eduardo Guerra · ‎01-15-2014

Dear Prateek, configurationo is like this and i can connect between interfaces but i cant access to network 172.1.1.0 that is connected to another router that is connected to interface Outside1. Any suggestion for this?

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 200.87.200.162 255.255.255.248

!

interface Ethernet0/1

nameif Outside1

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 10

ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit ip any any

access-list dmz_in extended permit icmp any any

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host 200.87.226.163 eq smtp

access-list 100 extended permit udp any host 200.87.226.163 eq domain

access-list 100 extended permit tcp any host 200.87.226.163 eq https

access-list 100 extended permit tcp any host 200.87.226.163 eq www

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.0.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Inside

icmp permit 192.168.0.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Outside1) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) 200.87.200.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group 100 in interface Outside

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 200.87.200.161 1

route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:6dfac383495fa18bde8783c7d47c3d81

: end

Thanks in advanced

EG

James Leinweber · ‎01-16-2014

What happens if you increase the routing distance for the default route, e.g.

route Outside 0.0.0.0 0.0.0.0 200.87.200.161 20

-- Jim Leinweber, WI State Lab of Hygiene

Eduardo Guerra · ‎01-16-2014

Default route is for internet use. Another static route is for connecting headquater with another offices

EG

Eduardo Guerra · ‎01-17-2014

I've modified route like James told but no changes. I run a this packet tracer and result is this

Packet Tracer:

packet-tracer input inside tcp 192.168.0.5 9823 172.1.1.10 80 detail

Result:

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.1.1.0 255.255.255.0 Outside1

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab8755c8, priority=2, domain=permit, deny=false

hits=175, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab877570, priority=0, domain=permit-ip-option, deny=true

hits=299, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

match ip Inside 192.168.0.0 255.255.255.0 Outside1 any

static translation to 192.168.0.0

translate_hits = 179, untranslate_hits = 18292

Additional Information:

Static translate 192.168.0.0/0 to 192.168.0.0/0 using netmask 255.255.255.0

Forward Flow based lookup yields rule:

in id=0xab94c948, priority=5, domain=nat, deny=false

hits=175, user_data=0xab94c0a0, cs_id=0x0, flags=0x0, protocol=0

src ip=192.168.0.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

match ip Inside 192.168.0.0 255.255.255.0 DMZ any

static translation to 192.168.0.0

translate_hits = 0, untranslate_hits = 11

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab811c80, priority=5, domain=host, deny=false

hits=18742, user_data=0xab8d1270, cs_id=0x0, reverse, flags=0x0, protoco

l=0

src ip=192.168.0.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (Outside1) 101 0.0.0.0 0.0.0.0

match ip Outside1 any Inside any

dynamic translation to pool 101 (No matching global)

translate_hits = 309, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

out id=0xab93f558, priority=1, domain=nat-reverse, deny=false

hits=74, user_data=0xab93f2e8, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside1

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Any ideas for solving this route issue?

EG

Collin Clark · ‎01-17-2014

There is no NAT so it's failing.

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (Outside1) 101 0.0.0.0 0.0.0.0

match ip Outside1 any Inside any

dynamic translation to pool 101 (No matching global)

Have you tried Prateek's commands?

static (Inside,outside1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Prateek's commands are one way to fix it.

You could also try-

global (Inside) 102 interface

nat (Outside1) 102 0 0

Eduardo Guerra · ‎01-17-2014

Dear Collin, do these lines:

global (Inside) 102 interface

nat (Outside1) 102 0 0

will not restrict traffic to the internet by interface Outside?

EG

Collin Clark · ‎01-17-2014

Those lines will nat traffic from Outside1 to the Inside using the IP assigned to the Inside interface.

Eduardo Guerra · ‎01-17-2014

Collin, Here's my network diagram. I need to use static routes from Lan to 172.1.x.x to communicate other offices with headquater LAN (I need NAT no PAT as you suggested answer before). Also i need to communicate branch offices with email server. Actually the service router i am using to connect branch offices is Cisco RV016 but in the near future it will be ISR G2 Cisco 892

If you need some more explanation to solve routing issue, please tell. also here's the up to date configuration

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address x.x.x.162 255.255.255.248

!

interface Ethernet0/1

nameif Outside1

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 10

ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit ip any any

access-list dmz_in extended permit icmp any any

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host x.x.x.163 eq smtp

access-list 100 extended permit udp any host x.x.x.163 eq domain

access-list 100 extended permit tcp any host x.x.x.163 eq https

access-list 100 extended permit tcp any host x.x.x.163 eq www

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.0.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Inside

icmp permit 192.168.0.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Outside1) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) 200.87.200.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group 100 in interface Outside

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 x.x.x.161 20

route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:3235bd0aa15e755b360cd2fb30b227ef

: end

EG