Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2140
Views
0
Helpful
16
Replies

One LAN per interface - not communicating w/each other

Go to solution
somethinglesspersonal
Level 1
Level 1

‎12-19-2013 08:25 AM - edited ‎03-07-2019 05:10 PM

Hello,

I have a Cisco ASA 5510 and we're only using two of the ports on it -- one for LAN and one for WAN. If I assign a third port 192.168.200.1, how to I get computers I plug into that port to communicate with the other LAN port (192.168.100.1)? Just set them at the same security level? In ASDM, there is a checkbox at the bottom of the main "Interfaces" page that says "Enable traffic between two or more interfaces which are configured with same secu..." but it doesn't finish the sentence. I'm assuming it finishes with "security levels" but when I check that I can't ping an IP on one interface from the other one I just set up. (i.e. can't ping 192.168.100.123 from a computer on the 192.168.200.x interface). Am I missing something? Seems like a very self explanatory checkbox to me. Thanks!

ASA Version 8.2(2)

ASDM Version 6.2(1)

Firewall mode: Routed

License: Security Plus

Physical Interfaces: Unlimited

VLANS: 100

Speaking of VLANS. I don't see anywhere in ASDM that mentions VLANS. Because the version of ASDM I have, are those options just not available in it and they need to be configured by CLI only? I have seen other ASA's where I can assign VLANS to interfaces but don't have those options on mine.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎01-10-2014 01:51 PM

Hi,

change your default gateway back to same subnet IP of the ASA and use static nat identity like I posted above

like this 

static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

test and if ping is still failing don't forget to disable windows firewall on the client

and if it still doesn't work try this

packet-tracer input inside icmp 192.168.100.30 8 0  192.168.200.30 detailed and post here




Regards




Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
16 Replies 16

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎12-19-2013 09:05 AM

Hi,

post your running config.

yes if you want 2 interfaces with same security level to communicate you must check this box.

I rarely use ASDM to configure ASAs but in the CLI you can put interfaces in vlans without any problem and you should be able to do the same with ASDM.

You should be aware that windows hosts have a software firewall that may be blocking the ping, so you should first check this.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
somethinglesspersonal
Level 1
Level 1
In response to cadet alain

‎01-10-2014 10:36 AM

Thanks Cadet.

The computers on the new LAN (eth0/2) are successfully getting an IP address from a Windows 2008 DHCP server on the original LAN (eth0/1) via DHCP relay.

Main network: 192.168.100.x/24 -- eth0/1

New network:  192.168.200.x/24 -- eth0/2

IP settings of a DHCP computer on the new network:

IP: 192.168.200.123 (random IP)

Subnet: 255.255.255.0

Gateway: 192.168.100.1

DNS 1: 192.168.100.2

DNS 2: 192.168.100.3

*Originally I was assigning 192.168.240.1 (the IP assigned to eth0/2) as the gateway for this network but then I thought, because these computers couldn't get internet, that they needed to be configured with the gateway of the "main" network on eth0/1. I don't understand how I can get an IP successfully, but cannot ping the very DHCP server that gave me the IP. ICMP is enabled.

Also, I ran sh run on the ASA and there is a ton of sensetive info (obviously). Is it not possible to explain what I need to do without me posting the entire running config?? Is there a term I can look up that will explain exactly what I want to do?

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to somethinglesspersonal

‎01-10-2014 11:18 AM

Hi,

-do these 2 interfaces possess same security-level ?

-is same-security-traffic permit inter-interface configured ?

-Are there any inbound ACL applied on these 2 interfaces ?

Can you try to configure static identity nat for communicating between these subnets like this:

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Also you must have  the default gateway on the same subnet so for 192.168.200.0/24 
it must be 192.168.200.x

You can post your config and modify sensitive infos

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
somethinglesspersonal
Level 1
Level 1
In response to cadet alain

‎01-10-2014 12:14 PM

Thanks for the quick response Cadet. Here is the config:

Result of the command: "sh run"

: Saved

:

ASA Version 8.2(2)

!

hostname c-pix-yay

domain-name domain.com

enable password encrypted

passwd encrypted

names

name 192.168.100.1 DHCP-Relay-Server description DHCP Relay Server for 200 subnet

!

interface Ethernet0/0

description from Fiber

speed 100

duplex full

nameif Fiber

security-level 0

ip address Fiber_IP 255.255.255.248

!

interface Ethernet0/1

description inside lan

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.100.252 255.255.255.0

!

interface Ethernet0/2

description inside wlan network

nameif inside-wlan

security-level 100

ip address 192.168.200.1 255.255.255.0

!

interface Ethernet0/3

description From comcrap

speed 100

shutdown

nameif comcrap

security-level 1

ip address 222.222.222.222 255.255.255.248

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.222.50 255.255.255.0

management-only

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup Fiber

dns domain-lookup inside

dns domain-lookup inside-wlan

dns domain-lookup comcrap

dns server-group DefaultDNS

name-server DHCP-Relay-Server

name-server 192.168.100.2

domain-name domain.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP tcp-udp

port-object eq

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service Asterisk-http-tcp

port-object eq

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 VPN_Connection_Profile_0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 AWS-VPC 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 100.100.100.0 255.255.255.0

access-list remotevpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

access-list remotevpn_splitTunnelAcl standard permit VPN_Connection_Profile_0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 VPN_Connection_Profile_0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 100.100.100.0 255.255.255.0 VPN_Connection_Profile_0 255.255.255.0

pager lines 10

logging enable

logging timestamp

logging trap warnings

logging asdm informational

logging from-address ASA5510@domain.com

logging recipient-address support@domain.com level critical

logging host inside 192.168.100.2

logging ftp-bufferwrap

mtu Fiber 1500

mtu inside 1500

mtu inside-wlan 1500

mtu comcrap 1500

mtu management 1500

ip local pool SSLVPN 100.100.100.1-100.100.100.250 mask 255.255.255.0

ip verify reverse-path interface Fiber

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (Fiber) 1 interface

global (comcrap) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface Fiber

route Fiber 0.0.0.0 0.0.0.0 111.111.111.111 1

route comcrap 0.0.0.0 0.0.0.0 222.222.222.222 10

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server AD protocol radius

aaa-server AD (inside) host server1

timeout 15

key

radius-common-pw

aaa-server AD (inside) host server2

key

radius-common-pw

aaa-server AD (inside) host server3

key

radius-common-pw

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http 192.168.1.0 255.255.255.0 management

http 192.168.2.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

snmp-server host inside 192.168.100.2 community

snmp-server host inside 192.168.100.2 community udp-port 161

no snmp-server location

no snmp-server contact

snmp-server community

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 123.123.123.123

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface Fiber

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=c-pix-yay

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate

  quit

crypto isakmp enable Fiber

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 123.123.123.0 255.255.255.0 comcrap

ssh 192.168.222.0 255.255.255.0 management

ssh timeout 5

console timeout 0

management-access inside

dhcprelay server DHCP-Relay-Server inside

dhcprelay enable inside-wlan

dhcprelay timeout 60

threat-detection basic-threat

threat-detection scanning-threat shun duration 900

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 123.123.123.123 source Fiber

ntp server 123.123.123.123 source Fiber

ntp server 123.123.123.123 source Fiber prefer

webvpn

enable Fiber

svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSLVPN internal

group-policy SSLVPN attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc

group-policy DfltGrpPolicy attributes

group-policy remotevpn internal

group-policy remotevpn attributes

dns-server value 192.168.100.1 192.168.100.2

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value remotevpn_splitTunnelAcl

default-domain value domain.com

group-policy "IPSec Removal - Test Policy" internal

group-policy "IPSec Removal - Test Policy" attributes

vpn-tunnel-protocol svc webvpn

group-policy BHO-Policy internal

group-policy BHO-Policy attributes

vpn-tunnel-protocol webvpn

webvpn

  url-list value BHO-List

username user password encrypted

username user attributes

service-type remote-access

tunnel-group vpn1 type remote-access

tunnel-group vpn1 general-attributes

address-pool SVPN

authentication-server-group AD

default-group-policy vpn1

tunnel-group vpn1 ipsec-attributes

pre-shared-key

tunnel-group BHO type remote-access

tunnel-group BHO general-attributes

default-group-policy BHO-Policy

tunnel-group BHO webvpn-attributes

group-alias BHO enable

group-url https://123.123.123.123/BHO enable

tunnel-group 222.222.222.222 type ipsec-l2l

tunnel-group 222.222.222.222 ipsec-attributes

pre-shared-key

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect sip 

  inspect tftp

  inspect http

  inspect icmp

  inspect icmp error

  inspect ip-options

!

service-policy global_policy global

smtp-server 192.168.100.4

prompt hostname context

Cryptochecksum:

: end

0 Helpful

Go to solution
somethinglesspersonal
Level 1
Level 1
In response to cadet alain

‎06-15-2014 01:57 PM

Alain, I want to thank you. I finally got around to this and it worked. Both networks can communicate with each other, but the new one, 192.168.200.0 doesn't have internet access whereas 192.168.100.0 does. Do I have to add an additional line such as:

static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0

The default gateway on the 192.168.200.0 network is 192.168.200.1

The other thing I was thinking is to create a static route for the inside-wlan interface, in the same spot I see 0.0.0.0 for my internet connection. So basically: 

route inside-wlan 192.168.200.0 255.255.255.0 192.168.100.1 1

?

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎01-10-2014 01:51 PM

Hi,

change your default gateway back to same subnet IP of the ASA and use static nat identity like I posted above

like this 

static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

test and if ping is still failing don't forget to disable windows firewall on the client

and if it still doesn't work try this

packet-tracer input inside icmp 192.168.100.30 8 0  192.168.200.30 detailed and post here




Regards




Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
somethinglesspersonal
Level 1
Level 1
In response to cadet alain

‎01-10-2014 07:52 PM

Thanks Alain, is this something I could issue remotely and not worry about getting disconnected or disrupting traffic? This is on a production ASA. Nothing is plugged into eth0/2 at the moment.

I changed the DHCP settings to give out 192.168.200.1 (eth0/2's IP address) as the gateway for 192.168.200.x clients.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to somethinglesspersonal

‎01-11-2014 03:16 PM

Hi,

you can do the packet-tracer tests without any problem.

When you have connected something on eth0/2 then you can try to communicate between the 2 subnets and based on packet-tracer result and communication result we will investigate further( identity nat, windows firewall) if needed.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
somethinglesspersonal
Level 1
Level 1
In response to cadet alain

‎01-14-2014 10:22 PM

I will be on site tomorrow and hook something up to eth0/2. I have seen in other forums where I should add

static (server,storage) 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
static (storage,server) 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
(http://3cvguy.com/cisco-asa/)

*obviously where server = inside and storage = inside-wlan in my case*


...instead of:

static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0


Do I need to add both lines or will your one line suffice?

*All firewalls are off in this scenario and I have same-security-traffic permit inter-interface enabled.

Thanks!

0 Helpful

Go to solution
somethinglesspersonal
Level 1
Level 1
In response to somethinglesspersonal

‎01-18-2014 03:10 PM

Result of the command: "packet-tracer input inside icmp 192.168.100.30 8 0  192.168.200.11 detailed"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd7cb32f0, priority=1, domain=permit, deny=false

hits=15724803396, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.200.0   255.255.255.0   inside-wlan

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd7cb4038, priority=2, domain=permit, deny=false

hits=1317, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd7cb5a28, priority=0, domain=inspect-ip-options, deny=true

hits=133685470, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd8ccbdc0, priority=70, domain=inspect-icmp, deny=false

hits=1887507, user_data=0xd8ccb710, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd8ccd7a0, priority=70, domain=inspect-icmp-error, deny=false

hits=1887507, user_data=0xd8ccd0f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside-wlan any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 1318, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd919bfd8, priority=1, domain=nat, deny=false

hits=1318, user_data=0xd919bf18, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside-wlan

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Go to solution
somethinglesspersonal
Level 1
Level 1
In response to somethinglesspersonal

‎01-27-2014 03:11 PM

Hi Alain,

Based on the packet-tracert command results, can you confirm I need to run the following command to enable communication between the two interfaces?:

static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Thanks in advance!

0 Helpful

Go to solution
somethinglesspersonal
Level 1
Level 1
In response to somethinglesspersonal

‎02-14-2014 11:40 AM

[bump]

Can anyone confirm, based on my packet-tracer results, that:

static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Is in fact what I need to add to my config to get two ASA interfaces to "talk" to each other w/out restriction? Also, if anything breaks, am I correct in that all I have to do is power cycle the ASA and my config stored in flash will load and the above entry will no longer be in my config? I'm doing this remote so that's why I need to know how to "undo" if I have to.

My DHCP pool only has 4 IP address left to hand out and I need to move all the wifi devices to this new interface.

THank you!

0 Helpful

Go to solution
ID10T_BSOD
Level 1
Level 1

‎02-19-2014 04:36 PM

I have the same problem. Only 10 IP addresses left on my nework and I have the same ASA as you, and two extra interfaces I'm not using. Did you ever try?:

static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
0 Helpful

Go to solution
somethinglesspersonal
Level 1
Level 1
In response to ID10T_BSOD

‎02-20-2014 08:56 AM

Hi Jeremy,

No, I have no tried it yet. Can't seem to get a  verification or second opinion and the only other commenter in this  thread is M.I.A.

I found a cool tool called Packet  Tracer that would help me enormously, but you need to be a Cisco academy  student to obtain it (legally anyway). Sad that it isn't free to the  community. Leaves people like me in the dust, and I don't like just  asking someone else how to do something, I like to try things myself but all I have is production environments

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card