I am not clear what you are

dhavalp · ‎01-26-2017

I'm a newbie to Cisco world so bare with me -- We have an ASA 5510 - I'm doing all configurations through the ASDM not CLI. So please excuse my ignorance.

Eth0/0 - WAN

Eth0/1 - LAN (10.0.0.0/24) (99 Security Level)

Eth0/3 - GuestWifi (10.0.40.0/24) (99 Security Level)

The goal is to have Eth0/3 use the internal DNS server in the Eth0/1 interface to resolve DNS queries. I've attempted to configure NAT Exempt

Interface - GuestWifi

Source - Any

Destination - LAN

NAT Exempt Direction - Nat Exempt inbound traffic from interface TTCGuest to higher security interfaces.

Also - configured Access Rules to allow DNS traffic 53 UDP.

Nothing is working, what am I doing wrong.

Thanks in advance!

D

konstantinoschiotakis · ‎01-26-2017

Hi,

Have you enabled the same-security-traffic permit inter-interface? On the ASDM this can be found under Configuration -> Device Setup -> Interfaces at the bottom of the main pane. Basically this allows communication between interfaces with same security level.

Cheers,

dhavalp · ‎01-26-2017

Thanks for the reply-

Both - "Enable traffic between two or more interfaces which are configured with same security levels" and "Enable traffic between two or more hosts connected to the same interface" are checked.

The guest wireless we are using google DNS - which shouldn't matter but just a little more information.

konstantinoschiotakis · ‎01-26-2017

Hi,

Do you have connectivity from one interface to the other? Can you ping from GuestWifi the DNS server in LAN (if ping is allowed in your ACLs)?

Cheers,

dhavalp · ‎01-26-2017

I setup in ACL manager the following:

Action: Permit

Src- GuestWifi/24

Dest - LAN/24

Service - ICMP

(hopefully that's an accurate configuration)

Then pinged from the GuestWifi with no luck.

konstantinoschiotakis · ‎01-26-2017

Hi,

The access-list GuestWifi_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.0 is not used by the firewall.

By default inspection of ICMP packets is not on. So the return traffic is probably blocked on the LAN interface (implicit deny). There are two ways to allow icmp:

1. inspect icmp and allow icmp on the inbound GuestWiFi interface.

2. Apply an ACL on the GuestWifi interface (inbound) and one on the LAN inbound for the return traffic.

See if this works for you (testing basic connectivity).

Cheers,

konstantinoschiotakis · ‎01-26-2017

Actually i can see that ICMP traffic is inspected:

policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp

konstantinoschiotakis · ‎01-26-2017

Under further investigation:

The NAT commands are missing the matching global group.

nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 10.0.0.0 255.255.255.0
nat (LAN) 1 10.0.20.0 255.255.255.0
nat (LAN) 1 10.0.70.0 255.255.255.0

The management NAT rules has no matching ACL:

nat (management) 0 access-list management_nat0_outbound

The two GuestWifi NAT rules:

nat (GuestWifi) 0 access-list GuestWifi_nat0_outbound outside

The above line translates into the one below:
nat (GuestWifi,any) 1 source static any any destination static OBJ-10.0.0.0-24 OBJ-10.0.0.0-24 no-proxy-arp description NONAT

nat (GuestWifi) 1 10.0.40.0 255.255.255.0

nat (GuestWifi) 1 10.0.40.0 255.255.255.0
There is no matching global group.

I think we should focus more on your nat rules.

Cheers,

Francesco Molino · ‎01-26-2017

Hi

Within ASDM, under file menu you have the show running-config option. You can paste right here the config and remove all confidential data.

It's not mandatory to use exempt nat if there is no nat between these 2 interfaces.

To troubleshoot you can user in CLI the combat packet-tracer and paste the output:

Packet-tracer input inside udp (hos-guest-ip) 53 (server-dns-inside) 53

It will show you if something is dropped or not.

It also could be the same security interface feature

With the config I'll be able to help you out on this issue.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Richard Burts · ‎01-26-2017

There may be several issues impacting this. So we need to work step by step to find and resolve the issues. The first issue is certainly that both Eth0/1 interface and Eth0/3 interface are security level 99. By default ASA will not send traffic to another interface at the same security level. So the config does need the command to permit same security level traffic. If it still does not work after fixing that then we look for other issues.

HTH

Rick

HTH

Rick

dhavalp · ‎01-26-2017

Richard -

Even if I have "Enable traffic between two or more interfaces which are configured with the same security levels" checked the traffic between two of the same security level interfaces won't communicate?

Richard Burts · ‎01-26-2017

I am not clear what you are saying here. So let me address it in this way and if it does not address your question then please clarify your question.

By default ASA will not send traffic from one interface to another interface of the ASA which has the same security level. If you check the box to permit this then traffic from Eth0/1 may be sent to Eth0/3, depending on other policies in the ASA. But this does not guarantee that the traffic will be forwarded. There are other policies that might impact the traffic. So if the inter interface traffic is allowed then we need to look for other things that might prevent it. Logical things to check next include whether access lists are applied to interfaces and whether NAT is configured between these interfaces.

HTH

Rick

HTH

Rick

dhavalp · ‎01-26-2017

Sorry if I was not clear. Yes- I allowed inter interface traffic between these interfaces.

I'm ready to troubleshoot this issue- what next steps can you provide?

Francesco Molino · ‎01-26-2017

Hi

Sorry I wasn't able to answer as I was on site at one of my customers.

There were a lot of exchanges. Could you please tell where we're standing? Did you modified your config based on inputs?

Do you still have your issue? Can you do again a packet-tracer and post the new config?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

dhavalp · ‎01-26-2017

I've attached the running-config - also packet tracer gave me an error with NAT -

Info: (acl-drop) Flow is denied by configured rule.

When I select the "Show rule in NAT rules table." where it failed:

Dynamic NAT Interface LAN Src: LAN Trnnslated PoolID 1 WAN interface WAN Address Pool.

Any ideas?

I won't forget to rate the correct answer.... :)

I won't forget to ra

ASA 5510 Setup Communication between two interfaces