Problem config on FWSM

Rohmat Tri Indra · ‎05-26-2013

configuration on ASA 5580 Version 8.2(1)

static (inside,outside) 112.111.112.10 10.52.12.10 netmask 255.255.255.255

static (inside,outside) 112.111.112.11 10.52.12.11 netmask 255.255.255.255

access-group acl_inside in interface inside

access-list acl_inside extended permit ip any any

interface TenGigabitEthernet5/1

nameif inside

security-level 100

ip address 10.52.12.1 255.255.255.248

-----------------------------------------------------------------------------------------------------------------------------------------

Configuration on FWSM Firewall Version 4.0(15)

static (inside,outside) 112.111.112.10 10.52.12.10 netmask 255.255.255.255

static (inside,outside) 112.111.112.11 10.52.12.11 netmask 255.255.255.255

access-group acl_inside in interface inside

access-list acl_inside extended permit ip any any

interface inside

description Link to ServerFarm

nameif pal

security-level 40

ip address 10.52.12.1 255.255.255.248

i want to compare configuration on two devices, currently i have scenario IP 10.52.12.11 as Webserver (http), Configuration on ASA 5580 when to connect from inside(10.52.12.10) to 112.111.112.11 port 80 succesfull, but if used configuration on FWSM unsuccessful. any ideas??

Jouni Forss · ‎05-26-2013

Hi,

So you are saying that you have 2 hosts on the "inside" and you are trying to connect from the other "inside" host to the other "inside" host with its NAT IP address?

By default this is not possible.

So I would imagine you have additional NAT configurations and certain global configurations that make this possible as I cant see a "dns" parameter in the "static" command that would enable this in cases where the NAT IP address has a public DNS configuration. With the "dns" parameter at the end of the "static" configuration would essentially make the ASA rewrite the DNS reply from a DNS server to reply with the private IP address rather than the NAT IP address.

The global configuration I am referring to is "same-security-traffic permit intra-interface" which would allow traffic to enter and leave the same interface which in this case would apply to "inside". This has to be enabled to have any hope of the traffic being allowed to enter and then leave the same interface.

While the source and destination host are both in the same network you should use the local IP address to connect OR use the "dns" parameter (provided the servers have DNS names configured on DNS server and the firewall can see the DNS query) OR you can configure NAT to make it possible to connect to the server using public IP address even from the LAN.

I would suggest using "packet-tracer" command on the ASA (where the connection works according to you) to confirm which NAT rules it hits

packet-tracer input inside tcp 10.52.12.10 12345 112.111.112.11 80

Hope this helps

EDIT: Your interface "nameif" also dont match on the 2 devices? Do you have interface "inside" also on FWSM? I guess you must have if it accepts the "static" configurations.

- Jouni

Julio Carvajal · ‎05-26-2013

Hello Rohmat,

They are the same except for the fact that the security level on the ASA is higher (100) than the one on the FWSM(40)

Are you sure the problem is not related to a security-level issue

My recommendation do captures on the outside interface of the FWSM and also on the inside matching the HTTP packets,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC