Hi,

ravikant.prasad1 · ‎03-13-2016

ASA Version 9.1(7)

interface Ethernet0/0

nameif outside

security-level 0

ip address 182.71.13.74 255.255.255.248

!

interface Ethernet0/1

nameif CDE

security-level 100

ip address 10.153.164.1 255.255.255.0

!

interface Ethernet0/2

nameif thirdparty

security-level 100

ip address 172.26.7.1 255.255.255.0

!

interface Ethernet0/3

nameif DMZ

security-level 0

ip address 172.26.6.1 255.255.255.0

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

With Above Interface I am not able to Access CDE from thirdparty

Trace Result as below

"

ciscoasa# packet-tracer input thirdparty tcp 172.26.6.100

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.153.164.0 255.255.255.0 CDE

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group thirdparty_acl in interface thirdparty
access-list thirdparty_acl extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: thirdparty
input-status: up
input-line-status: up
output-interface: CDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

"

sachintambat · ‎03-13-2016

Bcoz both interface are on same security level

Add below command

same-security-traffic permit inter-interface

To allow the access

Sachin

ravikant.prasad1 · ‎03-14-2016

Dear Sachin it has been done but still it is not working .

ravikant.prasad1 · ‎03-14-2016

Also please find the attachment of configuration .

ravikant.prasad1 · ‎03-14-2016

cde (10.153.164.0/24 to DMZ 172.26.6.0/24) packet trace pass is going ok
cde to 3rd party interface access is allowing
3rd party to cde interface access is not allowing (need port 53 access ).
dmz to cde port 443 not allowing (due to implicit acl)

Please help us to resolve.

sachintambat · ‎03-14-2016

Hi,

why this rule is inactive.

access-list thirdparty_access_in extended permit tcp any4 any4 eq domain inactive

can you remove inactive and check.

sachintambat · ‎03-14-2016

Use only

access-list thirdparty_access_in extended permit tcp any4 any4 eq domain

and check

sachintambat · ‎03-16-2016

Is it works for you?

After adding above command

ravikant.prasad1 · ‎03-16-2016

Dear Sachin

No

The above command is not helping.

ravikant.prasad1 · ‎03-18-2016

ASA Version 9.1(7)

interface Ethernet0/0

nameif outside

security-level 0

ip address 182.71.13.74 255.255.255.248

!

interface Ethernet0/1

nameif CDE

security-level 100

ip address 10.153.164.1 255.255.255.0

!

interface Ethernet0/2

nameif thirdparty

security-level 100

ip address 172.26.7.1 255.255.255.0

!

interface Ethernet0/3

nameif DMZ

security-level 0

ip address 172.26.6.1 255.255.255.0

Now

Form CDE to DMZ network is working.

From CDE to Thirdparty network is working.

We need

From DMZ to CDE port 53

And From Trirdparty to CDE port 53 and 443

sachintambat · ‎03-19-2016

For ->From DMZ to CDE port 53

Add below command

access-list DMZ extended permit tcp host x.x.x.x host x.x.x.x eq 53
access-list DMZ extended permit udp host x.x.x.x host x.x.x.x eq 53

For -> And From Trirdparty to CDE port 53 and 443

remove->access-list thirdparty_access_in extended permit tcp any4 any4 eq domain inactive

using

no access-list thirdparty_access_in extended permit tcp any4 any4 eq domain inactive

Add-> access-list thirdparty_access_in extended permit tcp any4 any4 eq domain

access-list thirdparty_access_in extended permit udp any4 any4 eq domain

Implicit Rule :Flow is denied by configured rule