02-27-2020 01:22 AM
Hi team,
i am using ASAv version 9.12.2 on AWS and i have few internal interfaces (security level 100) and i can not get them to ping each other even when. i am running the same-security lever permit command. i have tried to create an ACL to permit traffic from anywhere to anywhere with no success and i have few pre-made ACLs that i could not delete.
here is my conf:
: Saved
:
: Serial Number: 9AS6FC2VFFG
: Hardware: ASAv, 7680 MB RAM, CPU Xeon E5 series 2900 MHz, 1 CPU (4 cores)
:
ASA Version 9.12(2)
!
hostname ciscoasa
enable password ***** pbkdf2
names
no mac-address auto
!
interface GigabitEthernet0/0
nameif App
security-level 100
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif Web
security-level 100
ip address dhcp setroute
!
interface GigabitEthernet0/2
nameif Guest
security-level 100
ip address dhcp setroute
!
interface Management0/0
management-only
nameif mgmt
security-level 90
ip address dhcp setroute
!
ftp mode passive
clock timezone IST 2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network App
host 10.0.200.0
object network Web
subnet 10.0.100.0 255.255.255.0
access-list App_access_in extended permit ip any any
access-list Web_access_in extended permit ip any any
access-list Guest_access_in extended permit ip any any
pager lines 23
logging enable
logging trap debugging
logging asdm notifications
logging host mgmt 10.0.250.44 6/1470
mtu mgmt 1500
mtu App 1500
mtu Web 1500
mtu Guest 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network App
nat (any,App) dynamic interface
object network Web
nat (any,Web) dynamic interface
access-group App_access_in in interface App
access-group Web_access_in in interface Web
access-group Guest_access_in in interface Guest
router ospf 100
network 10.0.100.0 255.255.255.0 area 0
network 10.0.200.0 255.255.255.0 area 0
network 0.0.0.0 0.0.0.0 area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 10.0.250.0 255.255.255.0 App
http 10.0.250.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0509###
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 mgmt
ssh timeout 30
ssh version 1 2
console timeout 0
vpn load-balancing
dhcp-client client-id interface App
dhcp-client client-id interface Web
dhcp-client client-id interface Guest
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin nopassword privilege 15
username admin attributes
service-type admin
ssh authentication publickey ## hashed
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e7da6c4626b216ca9493ffa5e6e509c4
: end
can any one tell me what am i missing here?
Best Regards,
Alex.
02-27-2020 01:57 AM
Hello,
from where are you pinging the interfaces ? Put IP addresses on the interfaces, everything is set to DHCP, so we can see whoch networks you are using. Can the local hosts directly connected to the interfaces ping their default gateways ?
02-27-2020 04:05 AM
hi,
the ip addresses on the intefaces are :
App -> 10.0.100.240
Web -> 10.0.200.240
Guest -> 10.0.150.240
i have one instance in each network (10.0.100.0/24,10.0.200.0/24,10.0.150.0/24) and they can ping the relevant ASA interface but can not ping machines on different subnets lets say i have a machine in the app subnet it can ping the app interface of ASA but can not ping any machine in the web subnet.
Alex.
02-27-2020 05:08 AM
Odd. What if you manually assign the IP address to the interfaces instead of using DHCP ?
02-27-2020 05:24 AM
Still nothing..
here is the new conf
: Saved
:
: Serial Number: 9AS6FC2VFFG
: Hardware: ASAv, 7680 MB RAM, CPU Xeon E5 series 2900 MHz, 1 CPU (4 cores)
:
ASA Version 9.12(2)
!
hostname ciscoasa
enable password ***** pbkdf2
names
no mac-address auto
!
interface GigabitEthernet0/0
nameif App
security-level 100
ip address 10.0.100.240 255.255.255.0
!
interface GigabitEthernet0/1
nameif Web
security-level 100
ip address 10.0.200.240 255.255.255.0
!
interface GigabitEthernet0/2
nameif Guest
security-level 100
ip address 10.0.150.240 255.255.255.0
!
interface Management0/0
management-only
nameif mgmt
security-level 90
ip address dhcp setroute
!
ftp mode passive
clock timezone IST 2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network App
host 10.0.200.0
object network Web
subnet 10.0.100.0 255.255.255.0
access-list App_access_in extended permit ip any any
access-list Web_access_in extended permit ip any any
access-list Guest_access_in extended permit ip any any
access-list global_access extended permit ip any any
pager lines 23
logging enable
logging timestamp
logging trap debugging
logging asdm notifications
logging host mgmt 10.0.250.44 6/1470
mtu mgmt 1500
mtu App 1500
mtu Web 1500
mtu Guest 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network App
nat (any,App) dynamic interface
object network Web
nat (any,Web) dynamic interface
access-group App_access_in in interface App
access-group Web_access_in in interface Web
access-group Guest_access_in in interface Guest
access-group global_access global
router ospf 100
network 10.0.100.0 255.255.255.0 area 0
network 10.0.200.0 255.255.255.0 area 0
network 0.0.0.0 0.0.0.0 area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 10.0.250.0 255.255.255.0 App
http 10.0.250.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca #####
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 mgmt
ssh timeout 30
ssh version 1 2
console timeout 0
vpn load-balancing
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin nopassword privilege 15
username admin attributes
service-type admin
ssh authentication publickey#hashed
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a308350a05270142ed848690ce2eede9
: end
02-27-2020 05:38 AM
Hello,
which interface is actually suppposed to be your outside ?
Try and remove the NAT translations:
object network App
nat (any,App) dynamic interface
object network Web
nat (any,Web) dynamic interface
02-27-2020 06:11 AM - edited 02-27-2020 06:12 AM
Well now i get destination host unreachable
i dont think there is an outside interface all of them are inside.
if needed how do i change the interface to outside security level 0?
02-27-2020 06:58 AM
Hello,
in interface configuration mode, configure the outside interface with:
security-level 0
That said, I do not see any routing in your firewall either. In what topology is this firewall functioning ?
02-27-2020 07:05 AM
i tried ospf and i do have an outside interface its called Managment 0/0
also i am trying to understand how to route netween the interfaces couldnt really find a normal walk thrue on how to do it
02-27-2020 08:29 AM
Hello,
since you have allowed same security inter interface traffic, pings between the interfaces should work. Which clients are you pinging from ? Make sure there is no local firewall enabled on the clients...
02-27-2020 11:55 AM
Hi,
Do the clients have the default gateway set as the ASA?
Regards,
Cristian Matei.
03-01-2020 12:44 AM
HI,
yes the instances have the ASA set as the default gateway for the relevant interfaces
03-01-2020 02:14 AM
Hi,
Have you removed your NAT configs? Cause based on the NAT config, you have some restrictions on traffic flow initiation.
Regards,
Cristian Matei.
03-01-2020 03:03 AM - edited 03-01-2020 03:04 AM
Hi,
Yes i removed the nat config and those that i couldnt remove i disabled. should i share my new config ?
03-01-2020 07:04 AM - edited 03-01-2020 09:05 AM
Hello
You need to not nat between the subnets, but you need a nat statement for that, try:
no object network App
no object network Web
object network App_Web
subnet 10.0.100.0 255.255.255.0
nat(App,Web) static 10.0.100.0
object network Web_App
subnet 10.0.200.0 255.255.255.0
nat(Web,App) static 10.0.200.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide