- Cisco Community
- Technology and Support
- Networking
- Switching
- ASA 5510: traffic between two 'inside' interfaces, while maintaining outside interface traffic
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA 5510: traffic between two 'inside' interfaces, while maintaining outside interface traffic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2013 06:34 PM - edited 03-07-2019 04:58 PM
Hello,
I have been beating my head against the wall trying to get this to work, and for the life of me, I cannot. Any help would be GREATLY appreciated..!
I am using all four interfaces on the ASA 5510, and am trying to pass traffic between these two interfaces: "inside_sys" and "outside_sys". As it is right now, those two interfaces are incapable of talking to one another, yet, I am able to get 'outside' and on to the Internet with all interfaces.
I'm trying to maintain my current setup, in that I want to have my VPN tunnels continue to work, as well as have all three interfaces be able to communicate with my 'outside' (gateway) network.
Could someone please please please take a look at my config (below) and let me know what's missing in order for 'outside_sys' and 'inside_sys' interfaces to be able to communicate with one another?
Thanks in advance for any and all assistance!!
ASA Version 8.4(3)
!
hostname colbert_nation
domain-name omgwow.com
enable password ..... encrypted
passwd ..... encrypted
names
!
interface Ethernet0/0
description inside-facing systems
nameif inside_sys
security-level 2
ip address 192.168.111.1 255.255.255.0
!
interface Ethernet0/1
description inside hosts
nameif inside
security-level 100
ip address 192.168.91.1 255.255.255.0
!
interface Ethernet0/2
description frontier default gateway
nameif outside
security-level 0
ip address 51.88.191.2 255.255.255.0
!
interface Ethernet0/3
description outside-facing systems
nameif outside_sys
security-level 1
ip address 192.168.112.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
banner motd
banner motd Only authorized users are permitted to access this system.
banner motd By accessing and/or using this system you are consenting to system
banner motd monitoring for law enforecement and/or other purposes.
banner motd
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name cerephax.com
object network obj-192.168.111.0
subnet 192.168.111.0 255.255.255.0
object network obj-192.168.81.0
subnet 192.168.81.0 255.255.255.240
object network obj-192.168.111.9
host 192.168.111.9
object network obj-192.168.91.0
subnet 192.168.91.0 255.255.255.0
object network obj-192.168.91.100
host 192.168.91.100
object network obj-192.168.112.14
host 192.168.112.14
object network obj-192.168.112.12
host 192.168.112.12
object network obj-192.168.112.13
host 192.168.112.13
object network obj-192.168.111.25
host 192.168.111.25
object network obj-192.168.112.0
subnet 192.168.112.0 255.255.255.0
access-list vpntunnel_splitTunnelAcl standard permit 192.168.112.0 255.255.255.0
access-list vpntunnel_splitTunnelAcl standard permit 192.168.111.0 255.255.255.0
access-list vpntunnel_splitTunnelAcl standard permit 192.168.91.0 255.255.255.0
access-list ACL_IN extended permit udp any host 192.168.112.12 eq domain
access-list ACL_IN extended permit udp any host 192.168.112.13 eq domain
access-list ACL_IN extended permit tcp any host 192.168.112.14 eq https
access-list ACL_IN extended permit tcp any host 192.168.112.14 eq www
access-list ACL_IN extended permit tcp any host 192.168.112.14 eq smtp
access-list ACL_IN extended permit tcp any host 192.168.112.14 eq 993
access-list ACL_IN extended permit tcp any host 192.168.91.100 eq 46979
access-list ACL_IN extended permit tcp any host 192.168.91.100 range 6881 6900
access-list ACL_IN extended permit tcp any host 192.168.91.100 eq 6667
access-list ACL_IN extended permit tcp any host 192.168.91.100 range 5008 5028
access-list ACL_IN extended permit tcp any host 192.168.91.100 eq 59
pager lines 24
logging enable
logging asdm informational
mtu inside_sys 1500
mtu inside 1500
mtu outside 1500
mtu outside_sys 1500
ip local pool vpnpool 192.168.81.2-192.168.81.14 mask 255.255.255.240
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside_sys
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 3600
nat (inside,any) source static obj-192.168.91.0 obj-192.168.91.0 destination static obj-192.168.111.0 obj-192.168.111.0 no-proxy-arp
nat (inside,any) source static obj-192.168.91.0 obj-192.168.91.0 destination static obj-192.168.81.0 obj-192.168.81.0 no-proxy-arp
nat (inside_sys,outside) source static obj-192.168.111.0 obj-192.168.111.0 destination static obj-192.168.81.0 obj-192.168.81.0 no-proxy-arp route-lookup
!
object network obj-192.168.111.9
nat (inside_sys,outside) dynamic interface
object network obj-192.168.91.0
nat (inside,outside) dynamic interface
object network obj-192.168.91.100
nat (inside,outside) static 51.88.191.6
object network obj-192.168.112.14
nat (outside_sys,outside) static 51.88.191.5
object network obj-192.168.112.12
nat (outside_sys,outside) static 51.88.191.3
object network obj-192.168.112.13
nat (outside_sys,outside) static 51.88.191.4
object network obj-192.168.111.25
nat (inside_sys,outside) dynamic interface
access-group ACL_IN in interface outside
route outside 0.0.0.0 0.0.0.0 51.88.191.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.91.0 255.255.255.0 inside
http 192.168.81.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server enable
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 3600
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 1000000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
telnet timeout 5
ssh 192.168.91.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 192.168.112.12 192.168.112.13
dhcpd domain cerephax.com
!
dhcpd address 192.168.91.20-192.168.91.40 inside
dhcpd lease 604800 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.112.14 source outside_sys prefer
webvpn
group-policy vpntunnel internal
group-policy vpntunnel attributes
dns-server value 192.168.112.12 192.168.112.13
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpntunnel_splitTunnelAcl
default-domain value cerephax.com
username paul_walker password ..... encrypted privilege 0
username paul_walker attributes
vpn-group-policy vpntunnel
username miley_cyrus password ..... encrypted privilege 15
tunnel-group vpntunnel type remote-access
tunnel-group vpntunnel general-attributes
address-pool vpnpool
default-group-policy vpntunnel
tunnel-group vpntunnel ipsec-attributes
ikev1 pre-shared-key .....
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2013 08:32 AM
inside_sys at security level 2 should by default be able to initiate traffic to outside_sys at security level 1. There are no access-groups or NAT rules applied that would change that. I assume you have only hosts on the same subnets as the repective interfaces for those two networks so routing is not an issue.
When you initiatie traffic from a host on inside_sys destined for a host on outside_sys, does your ASA log show any packets being denied?
Try packet tracer to see why the ASA might drop packets. e.g.:
packet-tracer input inside_sys tcp 192.168.111.2 1025 192.168.112.2 http
(Substitute real hosts in each subnet vs. the .2 in each I used and a protocol you are using if not the http I used for example.)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
