03-21-2012 11:00 AM - edited 03-07-2019 05:42 AM
I know this is a pretty typical way to start this off but I am a bit of a newbie with VLANs and Cisco equipment. I am attempting to setup a communication between 2 VLANs. This setup is between two seperate medical practices Client1 who I have access to and Client2 which is not managed by be. I have access to only one of the practice's equipment. I have physically attached a cable from thier switch to my ASA in an attempt to get access to a shared server on Client2's network. I have created a VLAN called dmz to allow access from Client1 to the Client2. So far I am able to access the server from Client1 but I need to enable bi-directional access from Client2 to Client1's network. Namely to enable the ability for the server at Client2 to contact a printer on Client1's network. I have a visio that I have attached and the show run is also attached.
Can anyone point me in the right direction?
Solved! Go to Solution.
03-21-2012 01:35 PM
access-list NAT-TO-OUTSIDE extended deny ip 192.168.51.0 255.255.255.0 192.168.50.0 255.255.255.0
03-21-2012 11:08 AM
Hi ,
As I saw in the config you do not want NAT, so the easy way :
no nat-control
This will disable the requirement to nat the inside source flows, with out identity nat
Regards
Dan
03-21-2012 11:18 AM
Dan,
thanks for the reply nut when I issued that command it didn't change the situation.
the way I am testing this is I have a machine that I am remotely connected to at each client site. At Client2, who I do not have access to thier firewall, I have added a static route on the PC to route all traffic for 192.168.51.0/24 to the dmz vlan IP on my ASA.
I am still able to ping the machine on client2's network FROM client1 but not vice versa.
thanks for your help.
Micah
03-21-2012 11:24 AM
Hi Micah ,
The thing is that for example the Med Manager Server has to have a route for the 192.168.51.0/24 to 192.168.50.217 , which is the ASA FW. I suppose that there is no Layer 3 equipment in vlan 12 besides the 2 firewalls .
Regards
Dan
03-21-2012 11:28 AM
I can bet that your ping works from .192.168.51.0 to 192.168.50.0 . Why ?
You have nat in place
global (dmz) 2 interface
nat (inside) 2 access-list inside_nat_outbound
And all the traffic from 192.168.51.0 is snated to the ASA interface IP.
Regards
Dan
03-21-2012 11:40 AM
Correct, so if I remove the NAT and ensure that I have a route added on the 192.168.50.0 machines to point to 192.168.50.217 I should be able to get bi-directional traffic?
03-21-2012 11:49 AM
Yes, you are correct.
You will be able to have bidirectional traffic also using static nat : each 192.168.51.0 host will have a 192.168.50.x address.
As an example : static (inside,dmz) 192.168.50.50 192.168.51.51
The 192.168.50.x hosts can communicate with 192.168.51.51 using 192.168.50.50 destination address.
First solution : it's simpler , but you have to add the route on the hosts
Second solution : depends on how many addresses are used int 192.168.50.x and how many hosts are int 192.168.51. that need to talk with the other client.
Dan
03-21-2012 11:53 AM
What specific commands do need to run to remove NAT only on the traffic between the inside and the dmz network? I don't want to remove NAT between inside and outside.
03-21-2012 11:44 AM
Keep in mind that I do need to NAT traffic coming from the inside interface to the outside interface.
03-21-2012 11:45 AM
Also, you are correct. I only have the layer 2 switches and the firewall. No other equipment.
03-21-2012 11:54 AM
Ok, then:
no nat-control
no global (dmz) 2 interface
no nat (inside) 2 access-list inside_nat_outbound
+
route 192.168.51.0/24 -> 192.168.50.217
Furthermore if you do not need to nat anything you can delete all nat & global config.
Regards
Dan
03-21-2012 12:19 PM
Okay, I removed those lines from the config and now I am not able to ping from either side. I also removed these lines:
nat (dmz) 0 access-list dmz_nat0_outbound
access-list dmz_nat0_outbound extended permit ip any any
but it didn't help, currently with those lines removed I no longer have traffic from either side. Any thoughts?
here is the current config with those lines removed. Do I have to make changes to the access-lists as well?
: Saved
:
ASA Version 8.2(5)
!
hostname TEXASVOICE
names
name 192.168.50.4 NETMEN
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.51.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.25.10.31 255.255.255.0
!
interface Vlan12
no forward interface Vlan2
nameif dmz
security-level 100
ip address 192.168.50.217 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit tcp 10.1.100.0 255.255.255.0 192.168.51.0 255.255.255.0 eq 9100
access-list outside_access_in extended permit tcp 10.1.100.0 255.255.255.0 192.168.51.0 255.255.255.0 eq lpd
access-list DATACENTER-VPN extended permit ip 192.168.51.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list nonatvpn extended permit ip 192.168.51.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list inside_nat_outbound extended permit ip any 192.168.50.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list dmz_access_out extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonatvpn
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz
route outside 0.0.0.0 0.0.0.0 172.25.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address DATACENTER-VPN
crypto map outside_map 1 set peer 69.39.160.194
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 10.110.12.8 10.120.62.15
dhcpd auto_config outside
!
dhcpd address 192.168.51.100-192.168.51.199 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 69.39.160.194 type ipsec-l2l
tunnel-group 69.39.160.194 ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6addb3d103a9d829f96d5a1fa9b7ffad
: end
03-21-2012 12:23 PM
Hi ,
You have to add a route on the 192.168.50.x hosts for the 192.168.51.0/24 prefix toward the ASA interface 192.168.50.217. did you add this route ?
Regards
Dan
03-21-2012 12:26 PM
Yes, I have had that added for a while. I thought that was going to be the only hurdle.
Prior to these changes I was able to access the whole 192.168.50.x network from the 192.168.51.x network. Now I am not able to access anything from either network.
03-21-2012 12:36 PM
You will have to add this route on the 192.168.50.x host.
I suppose that the 192.168.50 host has a default route to the Juniper firewall , so all the packets outside 192.168.50.0 host - this includes 192.168.51.0 - will be forwarded to the Juniper. In order to communicate through the ASA , you must add a route for 192.168.51.0 255.255.255.0 to 192.168.50.217
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide