cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5196
Views
0
Helpful
74
Replies

lan to lan with asa5506 on the same phisical network

acabezas11
Level 1
Level 1

 Hi,

I am a newbie at configuring ASA's and trying to setup a Cisco ASA 5506 for the work flow on the attached image. If anyone could please recommend the best way to setup this ASA to Deny all traffic from LAN PC to Presstek PCs with the exception of port 445 for SMB file transfer. The Presstek computers will have static IP's on the same LAN subnet but they will be connected to the ASA ports and not LAN switch. If you need further info or need me to clarify certain things please let me know. Thanks

 

Presstek Op Flow3.jpg

74 Replies 74

ok yup I got it just did that right now.  I will test it now and see if these changes have helped.

Ok that seems to have done the trick as now I can telnet and ping from the DOHMH PC on the LAN to the Presstek computers behind the firewall.  But now the only thing that I have noticed is that from the Presstek computers I can telnet to the LAN PC on other ports as well.  On the firewall, I want the ACL to only allows one way traffic from the DOHMH production staff subnet to the Presstek PCs over port 445. This will allow the transfer of files that needs to be printed from the DOHMH production staff PCs to the Presstek PCs.  All other traffic should be blocked. 

There should be no communication initiated from the Presstek PCs to the DOHMH network.  How can we tweak the ACL we currently have in place?

Ok, then now we solved the basic connectivity issue. This full communication is happening because we configured all the interface on the same security level and added the command "same security traffic permit intra-interface". With this two changes, all traffic is permit through firewall interfaces.

 If you change the security level of outside interface from 100 to 0, you'll see that the traffic will be blocked and ACL will be necessary.

 Do that and let's see what else we need to adjust.

 

 

-If I helped you somehow, please, rate it as useful.-

 

ok I did that and now I am unable to ping or telnet from DOHMH PC to Presstek computer.

I am able to ping from Presstek PC to DOH PC and telnet as well but not from the outside in...  So it seems to be working the opposite way of how I would want it.

Any changes you think we can try to get the ACL correct?  Thanks

Hi,

Any chance of replicating my test environment within your simulator?  Or do you know what ACL is need to apply so that traffic is allowed in on port 445 and nothing out?  Thanks

Hi, sorry, I've been busy last days. I didn't make it to simulate your environment.

 Traffic usually is permitted from lower security level to high security level by default and blocked on the other way around by default.

 I messed up who is who on your environment by now  but try to change the ACL to the other interface allowing only the 445 port.

Apply ACLs is not difficult, you can easily find very good guides on the internet.

 

 

 

-If I helped you somehow, please, rate it as useful.-

 

ok I applied an ACL to allow outside to inside over port 445 and it works now.  But how do I deny traffic from the inside to out?  Can you think of an ACL I could apply for this?  Thanks

Ok disregard I got it working how I want it in the offline setup.  I should be god with the ACL's I applied.

Thanks for all your help...

Hi I currentlu have the ASA in place and everything is working as planned.  The only issue is that I cant SSH or ASDM to the ASA from outside.  Below is my configure.

 

 

80Centre-FL-ASA-1# sh run
: Saved

:
: Serial Number: JAD21260FF5
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.7(1)4
!
hostname 80Centre-FL-ASA-1
domain-name health.dohmh.nycnet
enable password $sha512$5000$rt4F5uO7E2EVt5mybaoo5Q==$Wp0bH/qRrP+ilbMzhDSjRg== pbkdf2
names

!
interface GigabitEthernet1/1
 bridge-group 1
 nameif outside
 security-level 0
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 10.156.23.126 255.255.255.128
!
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
 domain-name health.dohmh.nycnet
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network outside-network
 subnet 10.156.23.0 255.255.255.128
object network DOHMH-LAN
 subnet 10.156.23.0 255.255.255.128
 description DOHMH-LAN
object network 10.156.23.33
 host 10.156.23.33
 description Presstek PC1
object network 10.156.23.88
 host 10.156.23.88
 description Presstek PC3
object network ASA-IP
 host 10.156.23.126
object-group service DM_INLINE_SERVICE_1
 service-object tcp destination eq 137
 service-object tcp destination eq 138
 service-object tcp destination eq 445
 service-object tcp destination eq ftp
 service-object tcp destination eq netbios-ssn
 service-object udp destination eq 139
 service-object udp destination eq netbios-dgm
 service-object udp destination eq netbios-ns
 service-object udp destination eq 445
object-group network Presstek_PCs
 description Presstek PCs
 network-object object 10.156.23.33
 network-object object 10.156.23.88
object-group service DM_INLINE_SERVICE_2
 service-object tcp destination eq 137
 service-object tcp destination eq 138
 service-object tcp destination eq 445
 service-object tcp destination eq ftp
 service-object tcp destination eq netbios-ssn
 service-object udp destination eq 139
 service-object udp destination eq 445
 service-object udp destination eq netbios-dgm
 service-object udp destination eq netbios-ns
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object DOHMH-LAN object-group Presstek_PCs inactive
access-list outside_access_in extended permit icmp any any inactive
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 object DOHMH-LAN object-group Presstek_PCs
access-list outside_access_in_1 extended permit icmp any any
access-list inside_4_access_in extended deny ip any any
access-list inside_3_access_in extended deny ip any any
access-list inside_2_access_in extended deny ip any any
access-list inside_1_access_in extended deny ip any any
access-list inside_5_access_in extended deny ip any any
access-list inside_6_access_in extended deny ip any any
access-list inside_7_access_in extended deny ip any any
access-list inside_access_in extended deny ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
access-group outside_access_in_1 in interface outside
access-group inside_1_access_in in interface inside_1
access-group inside_2_access_in in interface inside_2
access-group inside_3_access_in in interface inside_3
access-group inside_4_access_in in interface inside_4
access-group inside_5_access_in in interface inside_5
access-group inside_6_access_in in interface inside_6
access-group inside_7_access_in in interface inside_7
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 10.156.23.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside_1
http 0.0.0.0 0.0.0.0 inside_2
http 0.0.0.0 0.0.0.0 inside_3
http 0.0.0.0 0.0.0.0 inside_4
http 0.0.0.0 0.0.0.0 inside_5
http 0.0.0.0 0.0.0.0 inside_6
http 0.0.0.0 0.0.0.0 inside_7
snmp-server host outside 10.242.127.245 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.242.127.240 255.255.255.240 outside
ssh 10.151.16.128 255.255.255.128 outside
ssh 10.242.184.0 255.255.255.0 outside
ssh 10.227.255.128 255.255.255.128 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username dohtech password $sha512$5000$ECe+99LxkHkSEEZpgLKVew==$smlQ66EKUqudXucHxT4cjQ== pbkdf2 privilege 15
username dohadmin password $sha512$5000$neBKRsCYMFOBTNC5OnAowg==$4iUCVABzs6Fqyhrra2Ezjw== pbkdf2 privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a06959b1a96063193bacf2ca1ef3fe21
: end

Try this:

 

ssh 0.0.0.0 0.0.0.0 outside

https  0.0.0.0 0.0.0.0 outside

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

 

 

 

I already have those commands in place but still doesn't work.  I think it has to do with the outside interface also being a part of the BVI group 1.  Can you look at the config below on my previous post.  Thanks

You have but you are specify the origin. Are you sure you are trying from the proper origin. The suggestion I gave ignore the origin allowing from everywhere.

 

 

 

-If I helped you somehow, please, rate it as useful.-

I got it to work it was the RSA key that wasn't generated for SSH.  Once I did that and added my Radius commands I was able to SSH and login with my AD credentials.  Thank for all your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco