Solved: Re: New to Cisco devices - help with ASA-5510 routing

jariwalaj · ‎10-26-2010

I am new to using Cisco firewalls. I have an ASA-5510 with a truncated Catalyst-3560 switch. I believe I have the trunk setup correctly and I created VLANs in the switch. Through the ASDM, I created the subinterfaces for each VLAN on the ASA. Now I am trying to get traffic to flow between the VLANs. I have read about security levels and assigned the levels such that the most trusted have the highest level (100). VLANs which need to talk to each other, I kept at the same security level.

On one of the higher trusted interfaces, I have a SysLog server. This computer needs access to the other VLANs in order to query and inspect logs and traffic. How do I give that VLAN/Interface access to the others? Is it inherant because of the higher security level? I believe I need to setup NAT, but not sure how to just allow open access (for now).

Thanks in advance!

Jayesh

Jitendriya Athavale · ‎10-26-2010

in the asdm you will have a tool called packet tracer could you please run that for traffic from server ip to client ip and paste the results it iwll tell wh

r the traffic is getting dropped

View solution in original post

Panos Kampanakis · ‎10-26-2010

If you are not applying an ACL on the high security interface, then by default the ASA will allow traffic to lower security interfaces.

NATting would be your next step. Make sure if you don't nat the host, that there is a route back to it for the return traffic through the ASA.

I hope it helps.

PK

jariwalaj · ‎10-26-2010

I posted a follow up to another user's response. I realized that you probably

don't get the notification. Here's my follow up question:

Thanks for the swift replies. Here's what I have, but not sure it is working:

* Server on VLAN 104 with security level of 100 [ip 192.168.10.10]

* Client PC on VLAN 111 with security level of 20 [ip 192.168.129.89]

* NAT translation for server-vlan to client-vlan allowing any on server-vlan to use PAT for 192.168.129.20

* Specific ACL for client PC (192.168.129.89) to get to server (192.168.10.10) allowing ALL ICMP traffic

I am trying to test my setup by pinging client from the server, but to no avail. I am missing something, I am sure.

--Jayesh

Jitendriya Athavale · ‎10-26-2010

you need to enable

same-security-tr permit inter-interface

same-security-tr permit intra-interface

if between diff sec levels enable nat for traffivc from high sec level to low

if you do not want to setup nat use nat exemption on the higher sec level interface and define traffic from high sec level to low sec level in the acl for nat exempt

jariwalaj · ‎10-26-2010

Thanks for the swift replies. Here's what I have, but not sure it is working:

* Server on VLAN 104 with security level of 100 [ip 192.168.10.10]

* Client PC on VLAN 111 with security level of 20 [ip 192.168.129.89]

* NAT translation for server-vlan to client-vlan allowing any on server-vlan to use PAT for 192.168.129.20

* Specific ACL for client PC (192.168.129.89) to get to server (192.168.10.10) allowing ALL ICMP traffic

I am trying to test my setup by pinging client from the server, but to no avail. I am missing something, I am sure.

--Jayesh

Jitendriya Athavale · ‎10-26-2010

disable firewall on client

first see if you can ping the client from the firewall

jariwalaj · ‎10-26-2010

I am able to ping the client using the Ping utility on the ASDM and specifying the client interface.

I am fairly certain that the client machine is not using a firewall.

Jitendriya Athavale · ‎10-26-2010

in the asdm you will have a tool called packet tracer could you please run that for traffic from server ip to client ip and paste the results it iwll tell wh

r the traffic is getting dropped

jariwalaj · ‎10-26-2010

I had to first update the ASA/ASDM software. That is now done and I ran the Packet Tracer. I attached pictures and it doesn't show any problems for the 'echo' and 'echo-reply' packets to get through. However, when I run 'ping' from a command line on the server, there is no response.

Thoughts? Thanks.

--Jayesh

d.hillman · ‎10-26-2010

Can you attach your current ASA configuration?

jariwalaj · ‎10-26-2010

While I understand examining the configuration is the fastest way to see my error, I can not share it. This is mainly due to NERC CIP standards. However, I would be willing to explain any settings I have placed in there. Is there something in particular I should be looking for?

d.hillman · ‎10-26-2010

I suspect what you have is a NATing issue.

Would it be possible to provide the following?

sh ip

sh run nat

sh run global

Feel free to change the real address to something bogus.

d.hillman · ‎10-26-2010

I also wouldn't enable same-security-tr permit inter-interface nor same-security-tr permit intra-interface unless absolutely required, read differently I wouldn't have the same security level on any two interfaces unless required.

jariwalaj · ‎10-26-2010

Result of the command: "sh ip"

System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0/0.104          dmz         192.168.3.170   255.255.255.0   DHCP
Ethernet0/0.105          serverlan      192.168.10.254 255.255.255.0   CONFIG
Ethernet0/0.111          AE1-RouterA-B          192.168.129.20 255.255.255.0   CONFIG
Management0/0            management             192.168.1.1     255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0/0.104          dmz         192.168.3.170   255.255.255.0   DHCP
Ethernet0/0.105          serverlan      192.168.10.254 255.255.255.0   CONFIG
Ethernet0/0.111          AE1-RouterA-B          192.168.129.20 255.255.255.0   CONFIG
Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Result of the command: "sh run nat"

nat (serverlan,dmz) source dynamic 192.168.10.0/24 interface
nat (serverlan,AE1-RouterA-B) source dynamic 192.168.10.0/24 interface destination static 192.168.129.89 192.168.129.89

Above is the result of the first two commands. 'sh run global' was not a valid command. What would you like to inspect?

I understand your comment about security levels. I was thinking something similar over lunch that I prefer to explicity allow traffic instead of letting it flow.

jariwalaj · ‎10-26-2010

Thanks in advance. Here's a dump of sh run (cleaned)

sh run ->

Result of the command: "sh run"

: Saved
:
ASA Version 8.3(2)
!
hostname foobar
domain-name foobar.local
enable password **** encrypted
passwd *** encrypted
names
name 192.168.10.10 ESPserver
dns-guard
!
interface Ethernet0/0
description Trunk connection to Catalyst 3560
nameif trunk
security-level 100
no ip address
!
interface Ethernet0/0.104
description Link to sw-dmz
vlan 104
nameif sw-dmz
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0.105
description Connection to ESP lan
vlan 105
nameif ESP-lan
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/0.106
description vendor remote monitoring
vlan 106
nameif vendor-remote-monitor
security-level 10
no ip address
!
interface Ethernet0/0.108
description Connection for NTP traffic
vlan 108
nameif vendor-traffic
security-level 50
no ip address
!
interface Ethernet0/0.109
description Connection to vendor-UDH for NTP traffic
vlan 109
nameif vendor-UDH
security-level 51
no ip address
!
interface Ethernet0/0.110
description Connection to vendor-PDH for NTP traffic
vlan 110
nameif vendor-PDH
security-level 52
no ip address
!
interface Ethernet0/0.111
description Connection to Router A&B
vlan 111
nameif RouterA-B
security-level 20
ip address 192.168.129.20 255.255.255.0
!
interface Ethernet0/0.113
description Connection to CS30 and CS40
vlan 113
nameif CS30-CS40
security-level 30
no ip address
!
interface Ethernet0/0.116
description Link to sw-ae1-a
vlan 116
nameif sw-ae1-a
security-level 20
no ip address
!
interface Ethernet0/0.117
description Link to sw-ae1-b
vlan 117
nameif sw-ae1-b
security-level 20
no ip address
!
interface Ethernet0/0.118
description Link to sw-ae2-a
vlan 118
nameif sw-ae2-a
security-level 30
no ip address
!
interface Ethernet0/0.119
description Link to sw-ae2-b
vlan 119
nameif sw-ae2-b
security-level 30
no ip address
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner motd WARNING *** WARNING *** WARNING *** WARNING *** WARNING
banner motd This system is for the use of authorized users only. Individuals using this system may have their activities monitored and recorded by authorized company personnel. Anyone using this system expressly consents to such monitoring and is advised that if there is evidence to suggest criminal activity, the company may notify and provide such recordings to law enforcement officials.
banner asdm WARNING *** WARNING *** WARNING *** WARNING *** WARNING
banner asdm This system is for the use of authorized users only. Individuals using this system may have their activities monitored and recorded by authorized company personnel.
banner asdm Anyone using this system expressly consents to such monitoring and is advised that if there is evidence to suggest criminal activity,
banner asdm the company may notify and provide such recordings to law enforcement officials.
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name foobar.local
same-security-traffic permit intra-interface
object network ESPlan
subnet 192.168.10.0 255.255.255.0
object network vendor-01CWA01
host 192.168.129.89
description vendor PC
object network ESPserver
host 192.168.10.10
description VM host server
object network GPS-TrueTime
host 192.168.3.254
object network vendor-lan
subnet 192.168.2.0 255.255.255.254
description vendor Network
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list ESP-lan_pnat_outbound extended permit ip 192.168.10.0 255.255.255.0 interface sw-dmz
access-list ESP-lan_pnat_outbound_V1 extended permit ip 192.168.10.0 255.255.255.0 interface RouterA-B
access-list sw-dmz_access_in remark Allow access to GPS time device
access-list sw-dmz_access_in extended permit udp object GPS-TrueTime object vendor-lan
access-list sw-dmz_access_in remark NTP connection for UDH
access-list sw-dmz_access_in extended permit udp host 192.168.101.250 interface vendor-UDH
access-list sw-dmz_access_in remark NTP connection to PDH
access-list sw-dmz_access_in extended permit udp host 192.168.201.250 interface vendor-PDH
access-list RouterA-B_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.129.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging standby
logging trap informational
logging asdm informational
logging queue 0
logging device-id hostname
logging host trunk 192.168.10.12
logging permit-hostdown
mtu trunk 1500
mtu sw-dmz 1500
mtu ESP-lan 1500
mtu vendor-remote-monitor 1500
mtu vendor-traffic 1500
mtu vendor-UDH 1500
mtu vendor-PDH 1500
mtu RouterA-B 1500
mtu CS30-CS40 1500
mtu sw-ae1-a 1500
mtu sw-ae1-b 1500
mtu sw-ae2-a 1500
mtu sw-ae2-b 1500
mtu management 1500
no failover
failover lan unit primary
no monitor-interface trunk
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
asdm history enable
arp timeout 14400
nat (ESP-lan,sw-dmz) source dynamic vendor-lan interface
nat (ESP-lan,RouterA-B) source dynamic vendor-lan interface destination static vendor-PC vendor-PC
access-group sw-dmz_access_in in interface sw-dmz
access-group RouterA-B_access_in in interface RouterA-B
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.10.0 255.255.255.0 ESPserver
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:21c9aa8a86b9574a9ceb66513c1cb079
: end