Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
0
Helpful
1
Replies

ASA 5510: traffic between two 'inside' interfaces, while maintaining outside interface traffic

herpasyphagonahiv
Level 1
Level 1

‎12-07-2013 06:34 PM - edited ‎03-07-2019 04:58 PM

Hello,

I have been beating my head against the wall trying to get this to work, and for the life of me, I cannot. Any help would be GREATLY appreciated..!

I am using all four interfaces on the ASA 5510, and am trying to pass traffic between these two interfaces: "inside_sys" and "outside_sys". As it is right now, those two interfaces are incapable of talking to one another, yet, I am able to get 'outside' and on to the Internet with all interfaces.

I'm trying to maintain my current setup, in that I want to have my VPN tunnels continue to work, as well as have all three interfaces be able to communicate with my 'outside' (gateway) network.

Could someone please please please take a look at my config (below) and let me know what's missing in order for 'outside_sys' and 'inside_sys' interfaces to be able to communicate with one another?

Thanks in advance for any and all assistance!!

ASA Version 8.4(3)

!

hostname colbert_nation

domain-name omgwow.com

enable password ..... encrypted

passwd ..... encrypted

names

!

interface Ethernet0/0

description inside-facing systems

nameif inside_sys

security-level 2

ip address 192.168.111.1 255.255.255.0

!

interface Ethernet0/1

description inside hosts

nameif inside

security-level 100

ip address 192.168.91.1 255.255.255.0

!

interface Ethernet0/2

description frontier default gateway

nameif outside

security-level 0

ip address 51.88.191.2 255.255.255.0

!

interface Ethernet0/3

description outside-facing systems

nameif outside_sys

security-level 1

ip address 192.168.112.1 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

banner motd

banner motd Only authorized users are permitted to access this system.

banner motd By accessing and/or using this system you are consenting to system

banner motd monitoring for law enforecement and/or other purposes.

banner motd

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name cerephax.com

object network obj-192.168.111.0

subnet 192.168.111.0 255.255.255.0

object network obj-192.168.81.0

subnet 192.168.81.0 255.255.255.240

object network obj-192.168.111.9

host 192.168.111.9

object network obj-192.168.91.0

subnet 192.168.91.0 255.255.255.0

object network obj-192.168.91.100

host 192.168.91.100

object network obj-192.168.112.14

host 192.168.112.14

object network obj-192.168.112.12

host 192.168.112.12

object network obj-192.168.112.13

host 192.168.112.13

object network obj-192.168.111.25

host 192.168.111.25

object network obj-192.168.112.0

subnet 192.168.112.0 255.255.255.0

access-list vpntunnel_splitTunnelAcl standard permit 192.168.112.0 255.255.255.0

access-list vpntunnel_splitTunnelAcl standard permit 192.168.111.0 255.255.255.0

access-list vpntunnel_splitTunnelAcl standard permit 192.168.91.0 255.255.255.0

access-list ACL_IN extended permit udp any host 192.168.112.12 eq domain

access-list ACL_IN extended permit udp any host 192.168.112.13 eq domain

access-list ACL_IN extended permit tcp any host 192.168.112.14 eq https

access-list ACL_IN extended permit tcp any host 192.168.112.14 eq www

access-list ACL_IN extended permit tcp any host 192.168.112.14 eq smtp

access-list ACL_IN extended permit tcp any host 192.168.112.14 eq 993

access-list ACL_IN extended permit tcp any host 192.168.91.100 eq 46979

access-list ACL_IN extended permit tcp any host 192.168.91.100 range 6881 6900

access-list ACL_IN extended permit tcp any host 192.168.91.100 eq 6667

access-list ACL_IN extended permit tcp any host 192.168.91.100 range 5008 5028

access-list ACL_IN extended permit tcp any host 192.168.91.100 eq 59

pager lines 24

logging enable

logging asdm informational

mtu inside_sys 1500

mtu inside 1500

mtu outside 1500

mtu outside_sys 1500

ip local pool vpnpool 192.168.81.2-192.168.81.14 mask 255.255.255.240

no failover  

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside_sys

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 3600

nat (inside,any) source static obj-192.168.91.0 obj-192.168.91.0 destination static obj-192.168.111.0 obj-192.168.111.0 no-proxy-arp

nat (inside,any) source static obj-192.168.91.0 obj-192.168.91.0 destination static obj-192.168.81.0 obj-192.168.81.0 no-proxy-arp

nat (inside_sys,outside) source static obj-192.168.111.0 obj-192.168.111.0 destination static obj-192.168.81.0 obj-192.168.81.0 no-proxy-arp route-lookup

!

object network obj-192.168.111.9

nat (inside_sys,outside) dynamic interface

object network obj-192.168.91.0

nat (inside,outside) dynamic interface

object network obj-192.168.91.100

nat (inside,outside) static 51.88.191.6

object network obj-192.168.112.14

nat (outside_sys,outside) static 51.88.191.5

object network obj-192.168.112.12

nat (outside_sys,outside) static 51.88.191.3

object network obj-192.168.112.13

nat (outside_sys,outside) static 51.88.191.4

object network obj-192.168.111.25

nat (inside_sys,outside) dynamic interface

access-group ACL_IN in interface outside

route outside 0.0.0.0 0.0.0.0 51.88.191.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.91.0 255.255.255.0 inside

http 192.168.81.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no snmp-server enable

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 3600

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 1000000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 3600

telnet timeout 5

ssh 192.168.91.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd dns 192.168.112.12 192.168.112.13

dhcpd domain cerephax.com

!

dhcpd address 192.168.91.20-192.168.91.40 inside

dhcpd lease 604800 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.168.112.14 source outside_sys prefer

webvpn

group-policy vpntunnel internal

group-policy vpntunnel attributes

dns-server value 192.168.112.12 192.168.112.13

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpntunnel_splitTunnelAcl

default-domain value cerephax.com

username paul_walker password ..... encrypted privilege 0

username paul_walker attributes

vpn-group-policy vpntunnel

username miley_cyrus password ..... encrypted privilege 15

tunnel-group vpntunnel type remote-access

tunnel-group vpntunnel general-attributes

address-pool vpnpool

default-group-policy vpntunnel

tunnel-group vpntunnel ipsec-attributes

ikev1 pre-shared-key .....

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-08-2013 08:32 AM

inside_sys at security level 2 should by default be able to initiate traffic to outside_sys at security level 1. There are no access-groups or NAT rules applied that would change that. I assume you have only hosts on the same subnets as the repective interfaces for those two networks so routing is not an issue.

When you initiatie traffic from a host on inside_sys destined for a host on outside_sys, does your ASA log show any packets being denied?

Try packet tracer to see why the ASA might drop packets. e.g.:

packet-tracer input inside_sys tcp 192.168.111.2 1025 192.168.112.2 http

(Substitute real hosts in each subnet vs. the .2 in each I used and a protocol you are using if not the http I used for example.)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card