Re: New ASA Install, Inside Networks can't browse eacother

pccareoncall · ‎05-20-2011

I just installed a new ASA 5505 for an office with three internal subnets. The three networks can each get online fine and ping eachother, but cannot browse to shares on the two internal networks other than their own. How do I configure the ASA to allow all traffic between these three inside networks?

192.168.152.0

192.168.154.0

Here is the running config:

show run
: Saved
:
ASA Version 8.4(1)
!
hostname ASA
domain-name NETWORK.LOCAL
enable password 9FKvgw.UCVrfUD5M encrypted
passwd 9FKvvDw.UCVrUdDM encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.152.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name NETWORK.LOCAL
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Net1
subnet 192.168.152.0 255.255.255.0
object network Net2
subnet 192.168.153.0 255.255.255.0
object network Net3
subnet 192.168.154.0 255.255.255.0
object network FD
host 192.168.152.2
access-list global_access extended permit ip object Net1 any
access-list global_access extended permit ip object Net2 any
access-list global_access extended permit ip object Net3 any
access-list global_access extended permit icmp interface inside any
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route inside 192.168.153.0 255.255.255.0 192.168.152.2 1
route inside 192.168.154.0 255.255.255.0 192.168.152.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.152.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 30
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.152.40-192.168.152.80 inside
dhcpd dns 192.168.0.21 interface inside
dhcpd wins 192.168.152.10 interface inside
dhcpd domain NETWORK.LOCAL interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin npassword qiyTRCDITAjP3aZE encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dd70e1358ea2eec7f73ee334j16492bb3
: end

varrao · ‎05-20-2011

Hi,

Yes you are definitely missing a few commands here:

same-security-traffic permit intra-interface

sysopt noproxyarp inside

object network vlan_1

subnet 192.168.152.0

nat (inside,inside) source static any interface destination static vlan_1 vlan_1

object network vlan_2

subnet 192.168.154.0

nat (inside,inside) source static any interface destination static vlan_2 vlan_2

THis is called hair-pinning or u-turning the traffic.

Hope this helps.

P.S.- do rate helpful posts.

Thanks,

Varun

Thanks,
Varun Rao

pccareoncall · ‎05-20-2011

Thanks for your response. I tried the commands and get the following:

ASA(config)#
ASA(config)# object network vlan_1
ASA(config-network-object)#
ASA(config-network-object)# subnet 192.168.152.0
ERROR: % Incomplete command
ASA(config-network-object)#
ASA(config-network-object)# subnet 192.168.152.0 ?

network-object mode commands/options:
A.B.C.D Enter an IPv4 network mask
ASA(config-network-object)# subnet 192.168.152.0 255.255.255.0
ASA(config-network-object)# exit
ASA(config)# nat (inside,inside) source static any interface destination s$
WARNING: All traffic destined to the IP address of the inside interface is being
redirected.
WARNING: Users may not be able to access any service enabled on the inside inter
face.
ASA(config)#

I noticed you recommended I use the object names vlan_1 and vlan_2. In the current config, I have the outside interface identified as vlan2 and the inside as vlan 1. Wouldn't that conflict and be best if I used unique names for these new objects? Also, shouldn't I do this for the third network as well (192.168.153.0)?

varrao · ‎05-20-2011

Hi,

don't worry about the message, its fine. Yes, you can use any unique name, it was just an example that i gave you. keep whatever name you waant to.

Thanks,

Varun

Thanks,
Varun Rao

pccareoncall · ‎05-21-2011

Ok, and will I need one object for each network (152.0, 153,0 and 154.0)?

Thanks,

-Matt

varrao · ‎05-21-2011

Hi Matt,

Yes, thats correct, you would need one object for each subnet.

Let me know if it works for you.

Thanks,

Varun

Thanks,
Varun Rao

pccareoncall · ‎05-21-2011

Ok, I applied the commands as you suggested and here are the results:

Network1 can browse to Network2 and Network3. (Good)

Network2 and Network3 cannot browse Network1. (Bad)

I am unable to access the device from the ASDM or via Telnet. (Bad)

Please help.

Here are the commands I sent:

ASA# config t
ASA(config)# same-security-traffic permit intra-interface
ASA(config)# sysopt noproxyarp inside
ASA(config)# object network Network1
ASA(config-network-object)# subnet 192.168.152.0 255.255.255.0
ASA(config-network-object)# exit
ASA(config)# nat (inside,inside) source static any interface destination static Network1 Network1
WARNING: All traffic destined to the IP address of the inside interface is being
redirected.
WARNING: Users may not be able to access any service enabled on the inside inter
face.
ASA(config)#
ASA(config)#
ASA(config)# object network Network2
ASA(config-network-object)# subnet 192.168.153.0 255.255.255.0
ASA(config-network-object)# exit
ASA(config)# nat (inside,inside) source static any interface destination static Network2 Network2
WARNING: All traffic destined to the IP address of the inside interface is being
redirected.
WARNING: Users may not be able to access any service enabled on the inside inter
face.
ASA(config)# object network Network3
ASA(config-network-object)# subnet 192.168.154.0 255.255.255.0
ASA(config-network-object)# exit
ASA(config)# nat (inside,inside) source static any interface destination static Network3 Network3
WARNING: All traffic destined to the IP address of the inside interface is being
redirected.
WARNING: Users may not be able to access any service enabled on the inside inter
face.
ASA(config)# exit

pccareoncall · ‎05-21-2011

Update: After applying these configs as directed, I lost all connectivity to the ASA. I can no longer telnet to it or use the ASDM to configure the ASA. Please see the exact commands in my previous post and tell me how/why they caused connectivity to be lost.

varrao · ‎05-21-2011

Hi,

Are there are any particular ports that you are accessing on these computers, is it just 3389??

Thanks,

Varun

Thanks,
Varun Rao

pccareoncall · ‎05-21-2011

I need all traffic allowed between these three internal networks. The most important being https and windows smb file sharing.

varrao · ‎05-21-2011

Hi,

Well what you can do is to use the following stastics:

object-group service Internal_services

service-group tcp destination eq http

service-group tcp destination range 135 139

service-group udp destination range 135 139

nat (outside,inside) source static any interface destination static Network_1 Network_1 service Internal_services Internal_services

similarly for other networks as well.

Moreover you can add more services under the object-group service Internal_service, I just did http and smb ports.

You were not able to access Network 1 because you do not have any route for it:

you need:

route inside 192.168.152.0 255.255.255.0

you can access the firewall on the outside interface ip through telnet:

I see this in config:

telnet 0.0.0.0 0.0.0.0 outside

Thanks,

Varun

Thanks,
Varun Rao

pccareoncall · ‎05-22-2011

Are these configs needed in addition to the original configs you suggested? Or instead of them? Also, I cannot telnet to the outside ip address either. Perhaps the same issue blocking the inside telnet connectivity is also blocking the outside. Is there any other way to access it, or do I need to reboot it? Do you know which of the configs you suggested is blocking access to telnet and asdm?

varrao · ‎05-22-2011

Hi Matt,

You should be able to telnet the box on outside interface because thats got nothing to do with it. But still if you're not then we would need to reload the box, now after the reload the configuration I gave you last time needs to be put in. Let me tell you which one:

same-security-traffic permit intra-interface

sysopt noproxyarp inside

object-group service Internal_services

service-group tcp destination eq http

service-group tcp destination range 135 139

service-group udp destination range 135 139

object network Network_1

subnet 192.168.152.0

nat (inside,inside) source static any interface destination static Network_1 Network_1 services Internal_services Internal_services

object network Network_2

subnet 192.168.153.0

nat (inside,inside) source static any interface destination static Network_2 Network_2 services Internal_services Internal_services

object network Network_3

subnet 192.168.154.0

nat (inside,inside) source static any interface destination static Network_3 Network_3 services Internal_services Internal_services

Alongwith it, you would also need to adda route, which you were missing earlier:

route inside 192.168.152.0 255.255.255.0

On the inside interface you are already using port 443 for ASDM, so it might be an issue, if you want to use port 443 for other inmternal hosts, what we can do is to use any other port for ASDM, lets say 445, so we would need to add the following:

http server enable 445

http 0.0.0.0 0.0.0.0 inside

The above configuration would resolve the conflict.

Have a nice weekend.

Thanks,

Varun

Thanks,
Varun Rao

pccareoncall · ‎05-22-2011

Ok, I'll try that, thanks. Are you confident that the problem with the last configs will not lock me out of telnet/asdm? I am going in to reboot the Asa now, but will not have access to dothat again until morning, and I want to be sure I do not lose connectivity. Thanks for your help.

varrao · ‎05-22-2011

Yes, sure you will have the connectivity. Just remember to configure asdm on port 445. And when you do that, to access the asdm, you would need to type the following in the browser:

https://:445

it would work for you.

My suggestion would be, after reload, access the firewall by telnet and asdm. Change teh ASDM access port to 445, test it, if it works, go ahead with the changes. You will not lose any connectivity.

Let me know how it goes.

Thanks,

Varun

Thanks,
Varun Rao