- Cisco Community
- Technology and Support
- Networking
- Switching
- Re: Allow traffic between two LAN interfaces
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Allow traffic between two LAN interfaces
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2019 10:44 PM
Hi,
I'm trying to setup my ASA 5510 to allow traffic between two interfaces
- Ethernet 0/1 Inside 192.168.10.1
- Ethernet 0/2 PBX 10.21.5.254
Both security level is set to 100 and "Enable traffic between two or more interfaces which are configured with same security levels" have also enabled.
But I couldn't ping to the GW on either side. Can anyone suggest if I miss something?
Thanks.
- Labels:
-
LAN Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2019 11:09 PM
Are you trying to ping the GW on E0/1 from a device hanging of E0/2 and vice versa? You can't do this by design. You can't send a ping to one ASA nterface when it comes in via another interface on same device.
If this is what you are referring to in your post.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2019 11:55 PM
Hi,
I need to allow two interfaces communicate with IMAP port 143
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2019 12:53 AM
You have the same security level configured on each interface- Confirmed by you
You have the command "same-security-traffic permit inter-interface" configured - Confirmed by you (can you post show run same-security)
Currently no ACLS?
Do you have andy NAT configured that might cause issues?
Can you check you have icmp inspection enabled -
sh run policy-map
If not - add the following for icmp to be inspected/allowed.
conf t
!
policy-map global_policy
class inspection_default
inspect icmp
Once you have initial communication you can then look to lock down with ACL if this is what you want to achieve.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2019 01:33 AM
Thanks. I tried but still not able to ping or telnet the other interface.
Here is the running config on the ASA.
Appreciated if you can suggest what I'm missing on the ACL / NAT / Static Route?
Result of the command: "sh config"
: Saved
: Written by enable_15 at 13:10:24.988 HKST Thu Jul 11 2019
!
ASA Version 8.2(5)
!
hostname RFHKASA
enable password 6gguA1wt4nQiES2U encrypted
passwd M2ArBQfTUvnVExSr encrypted
names
name 192.168.10.10 RFHK
name 218.255.21.162 New-WAN
name 192.168.10.20 Wireless_Router
name 192.168.10.21 Wireless_Satellite
name 10.10.1.0 VPN
name 192.168.10.1 ASA_LAN
name 10.21.5.254 PBX_GW
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 118.143.97.218 255.255.255.252
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address ASA_LAN 255.255.255.0
!
interface Ethernet0/2
nameif New_Outside
security-level 0
ip address New-WAN 255.255.255.252
!
interface Ethernet0/3
nameif PBX
security-level 100
ip address PBX_GW 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone HKST 8
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup New_Outside
dns domain-lookup PBX
dns domain-lookup management
dns server-group DefaultDNS
name-server 175.45.33.251
name-server 59.152.248.251
name-server 8.8.8.8
same-security-traffic permit inter-interface
access-list outside extended deny ip any any
access-list outside extended permit tcp 192.168.10.0
255.255.255.0 any eq www
access-list outside extended permit tcp 192.168.10.0
255.255.255.0 any eq https
access-list Outside_access_in extended permit ip 192.168.10.0
255.255.255.0 any
access-list VPN standard permit host 212.161.34.161
access-list VPN_access_in extended permit ip any 192.168.10.0
255.255.255.0
access-list VPN_access_in extended permit ip 192.168.10.0
255.255.255.0 any
access-list VPN_access_in extended permit ip any VPN
255.255.255.0
access-list VPN_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit ip any 192.168.10.0
255.255.255.0
access-list Inside_access_in extended permit ip any VPN
255.255.255.0
access-list Inside_access_in extended permit ip any 10.21.5.0
255.255.255.0
access-list Inside_access_in extended permit ip 10.21.5.0
255.255.255.0 any
access-list PBX_access_in extended permit ip any any
access-list PBX_access_in extended permit icmp any any
access-list LOCAL_LAN standard permit 192.168.10.0 255.255.255.0
access-list New_Outside_nat0_outbound extended permit ip any VPN
255.255.255.0
access-list Inside_nat0_outbound extended permit ip any VPN
255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu New_Outside 1500
mtu PBX 1500
mtu management 1500
ip local pool ClientVPN 10.10.1.10-10.10.1.50 mask 255.255.255.0
ip local pool VPN2 192.168.20.10-192.168.20.50 mask 255.255.255.0
ip local pool VPN 10.10.1.51-10.10.1.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (New_Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 255.255.255.255
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (New_Outside) 0 access-list New_Outside_nat0_outbound
static (Inside,PBX) 192.168.10.0 192.168.10.0 netmask
255.255.255.0
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group VPN_access_in in interface New_Outside
access-group PBX_access_in in interface PBX
route New_Outside 0.0.0.0 0.0.0.0 218.255.21.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Inside
http 192.168.10.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 PBX
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown
coldstart
sysopt noproxyarp Inside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 Inside
telnet 192.168.1.0 255.255.255.0 PBX
telnet timeout 5
ssh timeout 5
console timeout 0
management-access PBX
dhcpd dns 175.45.33.251 59.152.248.251
!
dhcpd address 192.168.10.50-192.168.10.149 Inside
dhcpd enable Inside
!
dhcpd address 192.168.2.2-192.168.2.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30
burst-rate 400 average-rate 200
webvpn
enable New_Outside
anyconnect-essentials
svc image disk0:/anyconnect-win-3.1.08009-k9.pkg 1
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3 regex
"Linux"
svc image disk0:/anyconnect-macosx-i386-3.1.05187-k9.pkg 4
svc profiles VPN_Profile disk0:/vpn_profile.xml
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
banner value Welcome to Finsbury SSL VPN
wins-server none
dns-server value 175.45.33.251 59.152.248.251
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LOCAL_LAN
default-domain none
address-pools value ClientVPN
webvpn
url-list none
svc keep-installer installed
svc profiles value VPN_Profile
svc ask none default svc
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
banner value Welocme to RLM Finsbury VPN Access
banner value This VPN Access Is For AUTHORIZED USERS Only
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain none
address-pools value ClientVPN
ipv6-address-pools none
tunnel-group DefaultRAGroup general-attributes
address-pool (New_Outside) ClientVPN
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool ClientVPN
default-group-policy SSLVPN
tunnel-group VPN webvpn-attributes
group-alias SSLVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9a67dd1460edbe20c0bff28e9f1eb8b2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2019 02:51 AM
For ICMP, First of all I do not see inspection enabled for it.
You will need to add the following under global policy-
policy-map global_policy
class inspection_default
Inspect ICMP
For the NATs - I think you will need the following also due to your code version -
static (PBX,Inside) 10.21.5.0 10.21.5.0 netmask 255.255.255.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2019 07:49 AM
Added icmp to the global-policy and NAT but still no luck.....
Result of the command: "sh running-config"
: Saved
:
ASA Version 8.2(5)
!
hostname RFHKASA
enable password 6gguA1wt4nQiES2U encrypted
passwd M2ArBQfTUvnVExSr encrypted
names
name 192.168.10.10 RFHK
name 218.255.21.162 New-WAN
name 192.168.10.20 Wireless_Router
name 192.168.10.21 Wireless_Satellite
name 10.10.1.0 VPN
name 192.168.10.1 ASA_LAN
name 10.21.5.254 PBX_GW
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 118.143.97.218 255.255.255.252
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address ASA_LAN 255.255.255.0
!
interface Ethernet0/2
nameif New_Outside
security-level 0
ip address New-WAN 255.255.255.252
!
interface Ethernet0/3
nameif PBX
security-level 100
ip address PBX_GW 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone HKST 8
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup New_Outside
dns domain-lookup PBX
dns domain-lookup management
dns server-group DefaultDNS
name-server 175.45.33.251
name-server 59.152.248.251
name-server 8.8.8.8
same-security-traffic permit inter-interface
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq imap4
service-object tcp-udp eq www
service-object tcp eq https
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp eq imap4
access-list outside extended deny ip any any
access-list outside extended permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list outside extended permit tcp 192.168.10.0 255.255.255.0 any eq https
access-list Outside_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list VPN standard permit host 212.161.34.161
access-list VPN_access_in extended permit ip any 192.168.10.0 255.255.255.0
access-list VPN_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list VPN_access_in extended permit ip any VPN 255.255.255.0
access-list VPN_access_in extended permit icmp any any inactive
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit ip any 192.168.10.0 255.255.255.0
access-list Inside_access_in extended permit ip any VPN 255.255.255.0
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any 10.21.5.0 255.255.255.0
access-list Inside_access_in extended permit ip 10.21.5.0 255.255.255.0 any
access-list PBX_access_in extended permit ip any any
access-list PBX_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list LOCAL_LAN standard permit 192.168.10.0 255.255.255.0
access-list New_Outside_nat0_outbound extended permit ip any VPN 255.255.255.0
access-list New_Outside_nat0_outbound extended permit ip VPN 255.255.255.0 any
access-list Inside_nat0_outbound extended permit ip any VPN 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu New_Outside 1500
mtu PBX 1500
mtu management 1500
ip local pool ClientVPN 10.10.1.10-10.10.1.50 mask 255.255.255.0
ip local pool VPN2 192.168.20.10-192.168.20.50 mask 255.255.255.0
ip local pool VPN 10.10.1.51-10.10.1.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (New_Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 255.255.255.255
nat (Inside) 1 VPN 255.255.255.0
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (New_Outside) 0 access-list New_Outside_nat0_outbound
static (PBX,Inside) 10.21.5.0 10.21.5.0 netmask 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group VPN_access_in in interface New_Outside
access-group PBX_access_in in interface PBX
route New_Outside 0.0.0.0 0.0.0.0 218.255.21.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Inside
http 192.168.10.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 PBX
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Inside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 Inside
telnet 192.168.1.0 255.255.255.0 PBX
telnet timeout 5
ssh timeout 5
console timeout 0
management-access PBX
dhcpd dns 175.45.33.251 59.152.248.251
!
dhcpd address 192.168.10.50-192.168.10.149 Inside
dhcpd enable Inside
!
dhcpd address 192.168.2.2-192.168.2.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable New_Outside
anyconnect-essentials
svc image disk0:/anyconnect-win-3.1.08009-k9.pkg 1
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3 regex "Linux"
svc image disk0:/anyconnect-macosx-i386-3.1.05187-k9.pkg 4
svc profiles VPN_Profile disk0:/vpn_profile.xml
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
banner value Welcome to Finsbury SSL VPN
wins-server none
dns-server value 175.45.33.251 59.152.248.251
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LOCAL_LAN
default-domain none
address-pools value ClientVPN
webvpn
url-list none
svc keep-installer installed
svc profiles value VPN_Profile
svc ask none default svc
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
banner value Welocme to RLM Finsbury VPN Access
banner value This VPN Access Is For AUTHORIZED USERS Only
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain none
address-pools value ClientVPN
ipv6-address-pools none
tunnel-group DefaultRAGroup general-attributes
address-pool (New_Outside) ClientVPN
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool ClientVPN
default-group-policy SSLVPN
tunnel-group VPN webvpn-attributes
group-alias SSLVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a7807e8cf1af25184a8d0d4cd4a7122e
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2019 08:27 AM
I don't see the following added -
static (PBX,Inside) 10.21.5.0 10.21.5.0 netmask 255.255.255.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2019 11:34 AM
Added but still no luck....any other suggestions?
Much appreciated
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(5)
!
hostname RFHKASA
enable password 6gguA1wt4nQiES2U encrypted
passwd M2ArBQfTUvnVExSr encrypted
names
name 192.168.10.10 RFHK
name 218.255.21.162 New-WAN
name 192.168.10.20 Wireless_Router
name 192.168.10.21 Wireless_Satellite
name 10.10.1.0 VPN
name 192.168.10.1 ASA_LAN
name 10.21.5.254 PBX_GW
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 118.143.97.218 255.255.255.252
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address ASA_LAN 255.255.255.0
!
interface Ethernet0/2
nameif New_Outside
security-level 0
ip address New-WAN 255.255.255.252
!
interface Ethernet0/3
nameif PBX
security-level 100
ip address PBX_GW 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone HKST 8
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup New_Outside
dns domain-lookup PBX
dns domain-lookup management
dns server-group DefaultDNS
name-server 175.45.33.251
name-server 59.152.248.251
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq imap4
service-object tcp-udp eq www
service-object tcp eq https
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp eq imap4
access-list outside extended deny ip any any
access-list outside extended permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list outside extended permit tcp 192.168.10.0 255.255.255.0 any eq https
access-list Outside_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list VPN standard permit host 0.0.0.0
access-list VPN_access_in extended permit ip any 192.168.10.0 255.255.255.0
access-list VPN_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list VPN_access_in extended permit ip any VPN 255.255.255.0
access-list VPN_access_in extended permit icmp any any inactive
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit ip any 192.168.10.0 255.255.255.0
access-list Inside_access_in extended permit ip any VPN 255.255.255.0
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any 10.21.5.0 255.255.255.0
access-list Inside_access_in extended permit ip 10.21.5.0 255.255.255.0 any
access-list PBX_access_in extended permit ip any any
access-list PBX_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list LOCAL_LAN standard permit 192.168.10.0 255.255.255.0
access-list New_Outside_nat0_outbound extended permit ip any VPN 255.255.255.0
access-list New_Outside_nat0_outbound extended permit ip VPN 255.255.255.0 any
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 VPN 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu New_Outside 1500
mtu PBX 1500
mtu management 1500
ip local pool ClientVPN 10.10.1.10-10.10.1.50 mask 255.255.255.0
ip local pool VPN2 192.168.20.10-192.168.20.50 mask 255.255.255.0
ip local pool VPN 10.10.1.51-10.10.1.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (New_Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 255.255.255.255
nat (Inside) 1 VPN 255.255.255.0
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (New_Outside) 0 access-list New_Outside_nat0_outbound
nat (New_Outside) 1 VPN 255.255.255.0
static (Inside,PBX) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (PBX,Inside) 10.21.5.0 10.21.5.0 netmask 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group VPN_access_in in interface New_Outside
access-group PBX_access_in in interface PBX
route New_Outside 0.0.0.0 0.0.0.0 218.255.21.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Inside
http 192.168.10.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 PBX
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Inside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 Inside
telnet 192.168.1.0 255.255.255.0 PBX
telnet timeout 5
ssh timeout 5
console timeout 0
management-access PBX
dhcpd dns 175.45.33.251 59.152.248.251
!
dhcpd address 192.168.10.50-192.168.10.149 Inside
dhcpd enable Inside
!
dhcpd address 192.168.2.2-192.168.2.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable New_Outside
anyconnect-essentials
svc image disk0:/anyconnect-win-3.1.08009-k9.pkg 1
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3 regex "Linux"
svc image disk0:/anyconnect-macosx-i386-3.1.05187-k9.pkg 4
svc profiles VPN_Profile disk0:/vpn_profile.xml
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
banner value Welcome to Finsbury SSL VPN
wins-server none
dns-server value 175.45.33.251 59.152.248.251
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LOCAL_LAN
default-domain none
address-pools value ClientVPN
webvpn
url-list none
svc keep-installer installed
svc profiles value VPN_Profile
svc ask none default svc
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
banner value Welocme to RLM Finsbury VPN Access
banner value This VPN Access Is For AUTHORIZED USERS Only
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain none
address-pools value ClientVPN
ipv6-address-pools none
tunnel-group DefaultRAGroup general-attributes
address-pool (New_Outside) ClientVPN
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool ClientVPN
default-group-policy SSLVPN
tunnel-group VPN webvpn-attributes
group-alias SSLVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f3b7d327fcb79e77fc18c5276bc75451
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2019 01:00 AM
ASA now can allow communication between interfaces with the same security level by adding the command ''same-security-traffic permit inter-interface''
Hope you have set this config, if setup done, try using from one of the device telnet xxx 143 and collect the logs from ASA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2019 01:08 AM
Hi,
I'm still not able to make two interfaces communicate to each other. can't even ping to the other GW.....
Appreciated if anyone can give me some advice. Thanks.
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(5)
!
hostname RFHKASA
names
name 192.168.10.10 RFHK
name 218.255.21.162 New-WAN
name 192.168.10.20 Wireless_Router
name 192.168.10.21 Wireless_Satellite
name 10.10.1.0 VPN
name 192.168.10.1 ASA_LAN
name 10.21.5.254 PBX_GW
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 118.143.97.218 255.255.255.252
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address ASA_LAN 255.255.255.0
!
interface Ethernet0/2
nameif New_Outside
security-level 0
ip address New-WAN 255.255.255.252
!
interface Ethernet0/3
nameif PBX
security-level 100
ip address PBX_GW 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone HKST 8
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup New_Outside
dns domain-lookup PBX
dns domain-lookup management
dns server-group DefaultDNS
name-server 175.45.33.251
name-server 59.152.248.251
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside extended deny ip any any
access-list outside extended permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list outside extended permit tcp 192.168.10.0 255.255.255.0 any eq https
access-list Outside_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list VPN standard permit host 0.0.0.0
access-list VPN_access_in extended permit ip any 192.168.10.0 255.255.255.0 inactive
access-list VPN_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list VPN_access_in extended permit ip any VPN 255.255.255.0
access-list VPN_access_in extended permit icmp any any inactive
access-list VPN_access_in extended permit ip VPN 255.255.255.0 any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit ip any 192.168.10.0 255.255.255.0
access-list Inside_access_in extended permit ip any VPN 255.255.255.0
access-list Inside_access_in extended permit icmp any 10.21.5.0 255.255.255.0
access-list Inside_access_in extended permit ip 10.21.5.0 255.255.255.0 any
access-list PBX_access_in extended permit ip any any
access-list PBX_access_in extended permit icmp any any
access-list LOCAL_LAN standard permit 192.168.10.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 VPN 255.255.255.0
access-list Inside_nat0_outbound_1 extended permit ip 192.168.10.0 255.255.255.0 VPN 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu New_Outside 1500
mtu PBX 1500
mtu management 1500
ip local pool ClientVPN 10.10.1.10-10.10.1.50 mask 255.255.255.0
ip local pool VPN2 192.168.20.10-192.168.20.50 mask 255.255.255.0
ip local pool VPN 10.10.1.51-10.10.1.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (New_Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound_1
nat (Inside) 1 192.168.10.0 255.255.255.0
nat (New_Outside) 1 VPN 255.255.255.0
static (PBX,Inside) 10.21.5.0 10.21.5.0 netmask 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group VPN_access_in in interface New_Outside
access-group PBX_access_in in interface PBX
route New_Outside 0.0.0.0 0.0.0.0 218.255.21.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Inside
http 192.168.10.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 PBX
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Inside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 Inside
telnet 192.168.1.0 255.255.255.0 PBX
telnet timeout 5
ssh timeout 5
console timeout 0
management-access PBX
dhcpd dns 175.45.33.251 59.152.248.251
!
dhcpd address 192.168.10.40-192.168.10.199 Inside
dhcpd enable Inside
!
dhcpd address 192.168.2.2-192.168.2.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable New_Outside
anyconnect-essentials
svc image disk0:/anyconnect-win-3.1.08009-k9.pkg 1
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3 regex "Linux"
svc image disk0:/anyconnect-macosx-i386-3.1.05187-k9.pkg 4
svc profiles VPN_Profile disk0:/vpn_profile.xml
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
banner value Welcome to Finsbury SSL VPN
wins-server none
dns-server value 175.45.33.251 59.152.248.251
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelall
split-tunnel-network-list value LOCAL_LAN
default-domain none
address-pools value ClientVPN
webvpn
url-list none
svc keep-installer installed
svc profiles value VPN_Profile
svc ask none default svc
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
banner value Welocme to RLM Finsbury VPN Access
banner value This VPN Access Is For AUTHORIZED USERS Only
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain none
address-pools value ClientVPN
ipv6-address-pools none
tunnel-group DefaultRAGroup general-attributes
address-pool (New_Outside) ClientVPN
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool ClientVPN
default-group-policy SSLVPN
tunnel-group VPN webvpn-attributes
group-alias SSLVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f719ce337233d24282381e6a4bf22cd6
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2019 06:52 AM
static (PBX,Inside) 10.21.5.0 10.21.5.0 netmask 255.255.255.0
I'd remove this.
Just FYI, you won't be able to ping the other GW, e.g if you are in the LAN PBX you will only be able to ping the GW address for PBX, 10.21.5.254. You will not be able to ping the Inside address from the PBX subnet and vice versa. This is default behavior of the Firewall.
How are you testing your connectivity between the Interfaces/LANs? I would ensure Windows FW is not running (if windows) as this can block ICMP and other traffic destined to the machine itself. It may be an idea to run Wireshark on the hosts whilst running your tests. See if the traffic is getting to them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
