12-19-2013 08:25 AM - edited 03-07-2019 05:10 PM
Hello,
I have a Cisco ASA 5510 and we're only using two of the ports on it -- one for LAN and one for WAN. If I assign a third port 192.168.200.1, how to I get computers I plug into that port to communicate with the other LAN port (192.168.100.1)? Just set them at the same security level? In ASDM, there is a checkbox at the bottom of the main "Interfaces" page that says "Enable traffic between two or more interfaces which are configured with same secu..." but it doesn't finish the sentence. I'm assuming it finishes with "security levels" but when I check that I can't ping an IP on one interface from the other one I just set up. (i.e. can't ping 192.168.100.123 from a computer on the 192.168.200.x interface). Am I missing something? Seems like a very self explanatory checkbox to me. Thanks!
ASA Version 8.2(2)
ASDM Version 6.2(1)
Firewall mode: Routed
License: Security Plus
Physical Interfaces: Unlimited
VLANS: 100
Speaking of VLANS. I don't see anywhere in ASDM that mentions VLANS. Because the version of ASDM I have, are those options just not available in it and they need to be configured by CLI only? I have seen other ASA's where I can assign VLANS to interfaces but don't have those options on mine.
Solved! Go to Solution.
01-10-2014 01:51 PM
Hi,
change your default gateway back to same subnet IP of the ASA and use static nat identity like I posted above
like this
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0test and if ping is still failing don't forget to disable windows firewall on the client
and if it still doesn't work try this
packet-tracer input inside icmp 192.168.100.30 8 0 192.168.200.30 detailed and post here
Regards
Alain
Don't forget to rate helpful posts.
12-19-2013 09:05 AM
Hi,
post your running config.
yes if you want 2 interfaces with same security level to communicate you must check this box.
I rarely use ASDM to configure ASAs but in the CLI you can put interfaces in vlans without any problem and you should be able to do the same with ASDM.
You should be aware that windows hosts have a software firewall that may be blocking the ping, so you should first check this.
Regards
Alain
Don't forget to rate helpful posts.
01-10-2014 10:36 AM
Thanks Cadet.
The computers on the new LAN (eth0/2) are successfully getting an IP address from a Windows 2008 DHCP server on the original LAN (eth0/1) via DHCP relay.
Main network: 192.168.100.x/24 -- eth0/1
New network: 192.168.200.x/24 -- eth0/2
IP settings of a DHCP computer on the new network:
IP: 192.168.200.123 (random IP)
Subnet: 255.255.255.0
Gateway: 192.168.100.1
DNS 1: 192.168.100.2
DNS 2: 192.168.100.3
*Originally I was assigning 192.168.240.1 (the IP assigned to eth0/2) as the gateway for this network but then I thought, because these computers couldn't get internet, that they needed to be configured with the gateway of the "main" network on eth0/1. I don't understand how I can get an IP successfully, but cannot ping the very DHCP server that gave me the IP. ICMP is enabled.
Also, I ran sh run on the ASA and there is a ton of sensetive info (obviously). Is it not possible to explain what I need to do without me posting the entire running config?? Is there a term I can look up that will explain exactly what I want to do?
01-10-2014 11:18 AM
Hi,
-do these 2 interfaces possess same security-level ?
-is same-security-traffic permit inter-interface configured ?
-Are there any inbound ACL applied on these 2 interfaces ?
Can you try to configure static identity nat for communicating between these subnets like this:
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
Also you must have the default gateway on the same subnet so for 192.168.200.0/24
it must be 192.168.200.x
You can post your config and modify sensitive infos
Regards
Alain
Don't forget to rate helpful posts.
01-10-2014 12:14 PM
Thanks for the quick response Cadet. Here is the config:
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(2)
!
hostname c-pix-yay
domain-name domain.com
enable password encrypted
passwd encrypted
names
name 192.168.100.1 DHCP-Relay-Server description DHCP Relay Server for 200 subnet
!
interface Ethernet0/0
description from Fiber
speed 100
duplex full
nameif Fiber
security-level 0
ip address Fiber_IP 255.255.255.248
!
interface Ethernet0/1
description inside lan
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.100.252 255.255.255.0
!
interface Ethernet0/2
description inside wlan network
nameif inside-wlan
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/3
description From comcrap
speed 100
shutdown
nameif comcrap
security-level 1
ip address 222.222.222.222 255.255.255.248
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.222.50 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Fiber
dns domain-lookup inside
dns domain-lookup inside-wlan
dns domain-lookup comcrap
dns server-group DefaultDNS
name-server DHCP-Relay-Server
name-server 192.168.100.2
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp-udp
port-object eq
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service Asterisk-http-tcp
port-object eq
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 VPN_Connection_Profile_0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 AWS-VPC 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 100.100.100.0 255.255.255.0
access-list remotevpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list remotevpn_splitTunnelAcl standard permit VPN_Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 VPN_Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 100.100.100.0 255.255.255.0 VPN_Connection_Profile_0 255.255.255.0
pager lines 10
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging from-address ASA5510@domain.com
logging recipient-address support@domain.com level critical
logging host inside 192.168.100.2
logging ftp-bufferwrap
mtu Fiber 1500
mtu inside 1500
mtu inside-wlan 1500
mtu comcrap 1500
mtu management 1500
ip local pool SSLVPN 100.100.100.1-100.100.100.250 mask 255.255.255.0
ip verify reverse-path interface Fiber
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Fiber) 1 interface
global (comcrap) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface Fiber
route Fiber 0.0.0.0 0.0.0.0 111.111.111.111 1
route comcrap 0.0.0.0 0.0.0.0 222.222.222.222 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol radius
aaa-server AD (inside) host server1
timeout 15
key
radius-common-pw
aaa-server AD (inside) host server2
key
radius-common-pw
aaa-server AD (inside) host server3
key
radius-common-pw
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 192.168.100.2 community
snmp-server host inside 192.168.100.2 community udp-port 161
no snmp-server location
no snmp-server contact
snmp-server community
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 123.123.123.123
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface Fiber
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=c-pix-yay
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate
quit
crypto isakmp enable Fiber
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 123.123.123.0 255.255.255.0 comcrap
ssh 192.168.222.0 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access inside
dhcprelay server DHCP-Relay-Server inside
dhcprelay enable inside-wlan
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat shun duration 900
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 123.123.123.123 source Fiber
ntp server 123.123.123.123 source Fiber
ntp server 123.123.123.123 source Fiber prefer
webvpn
enable Fiber
svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
group-policy DfltGrpPolicy attributes
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 192.168.100.1 192.168.100.2
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remotevpn_splitTunnelAcl
default-domain value domain.com
group-policy "IPSec Removal - Test Policy" internal
group-policy "IPSec Removal - Test Policy" attributes
vpn-tunnel-protocol svc webvpn
group-policy BHO-Policy internal
group-policy BHO-Policy attributes
vpn-tunnel-protocol webvpn
webvpn
url-list value BHO-List
username user password encrypted
username user attributes
service-type remote-access
tunnel-group vpn1 type remote-access
tunnel-group vpn1 general-attributes
address-pool SVPN
authentication-server-group AD
default-group-policy vpn1
tunnel-group vpn1 ipsec-attributes
pre-shared-key
tunnel-group BHO type remote-access
tunnel-group BHO general-attributes
default-group-policy BHO-Policy
tunnel-group BHO webvpn-attributes
group-alias BHO enable
group-url https://123.123.123.123/BHO enable
tunnel-group 222.222.222.222 type ipsec-l2l
tunnel-group 222.222.222.222 ipsec-attributes
pre-shared-key
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect tftp
inspect http
inspect icmp
inspect icmp error
inspect ip-options
!
service-policy global_policy global
smtp-server 192.168.100.4
prompt hostname context
Cryptochecksum:
: end
06-15-2014 01:57 PM
Alain, I want to thank you. I finally got around to this and it worked. Both networks can communicate with each other, but the new one, 192.168.200.0 doesn't have internet access whereas 192.168.100.0 does. Do I have to add an additional line such as:
static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
The default gateway on the 192.168.200.0 network is 192.168.200.1
The other thing I was thinking is to create a static route for the inside-wlan interface, in the same spot I see 0.0.0.0 for my internet connection. So basically:
route inside-wlan 192.168.200.0 255.255.255.0 192.168.100.1 1
?
01-10-2014 01:51 PM
Hi,
change your default gateway back to same subnet IP of the ASA and use static nat identity like I posted above
like this
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0test and if ping is still failing don't forget to disable windows firewall on the client
and if it still doesn't work try this
packet-tracer input inside icmp 192.168.100.30 8 0 192.168.200.30 detailed and post here
Regards
Alain
Don't forget to rate helpful posts.
01-10-2014 07:52 PM
Thanks Alain, is this something I could issue remotely and not worry about getting disconnected or disrupting traffic? This is on a production ASA. Nothing is plugged into eth0/2 at the moment.
I changed the DHCP settings to give out 192.168.200.1 (eth0/2's IP address) as the gateway for 192.168.200.x clients.
01-11-2014 03:16 PM
Hi,
you can do the packet-tracer tests without any problem.
When you have connected something on eth0/2 then you can try to communicate between the 2 subnets and based on packet-tracer result and communication result we will investigate further( identity nat, windows firewall) if needed.
Regards
Alain
Don't forget to rate helpful posts.
01-14-2014 10:22 PM
I will be on site tomorrow and hook something up to eth0/2. I have seen in other forums where I should add
*obviously where server = inside and storage = inside-wlan in my case*
...instead of:
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
Do I need to add both lines or will your one line suffice?
*All firewalls are off in this scenario and I have same-security-traffic permit inter-interface enabled.
Thanks!
01-18-2014 03:10 PM
Result of the command: "packet-tracer input inside icmp 192.168.100.30 8 0 192.168.200.11 detailed"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7cb32f0, priority=1, domain=permit, deny=false
hits=15724803396, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.200.0 255.255.255.0 inside-wlan
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7cb4038, priority=2, domain=permit, deny=false
hits=1317, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7cb5a28, priority=0, domain=inspect-ip-options, deny=true
hits=133685470, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8ccbdc0, priority=70, domain=inspect-icmp, deny=false
hits=1887507, user_data=0xd8ccb710, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8ccd7a0, priority=70, domain=inspect-icmp-error, deny=false
hits=1887507, user_data=0xd8ccd0f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside-wlan any
dynamic translation to pool 1 (No matching global)
translate_hits = 1318, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd919bfd8, priority=1, domain=nat, deny=false
hits=1318, user_data=0xd919bf18, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside-wlan
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
01-27-2014 03:11 PM
Hi Alain,
Based on the packet-tracert command results, can you confirm I need to run the following command to enable communication between the two interfaces?:
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
Thanks in advance!
02-14-2014 11:40 AM
[bump]
Can anyone confirm, based on my packet-tracer results, that:
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
Is in fact what I need to add to my config to get two ASA interfaces to "talk" to each other w/out restriction? Also, if anything breaks, am I correct in that all I have to do is power cycle the ASA and my config stored in flash will load and the above entry will no longer be in my config? I'm doing this remote so that's why I need to know how to "undo" if I have to.
My DHCP pool only has 4 IP address left to hand out and I need to move all the wifi devices to this new interface.
THank you!
02-19-2014 04:36 PM
I have the same problem. Only 10 IP addresses left on my nework and I have the same ASA as you, and two extra interfaces I'm not using. Did you ever try?:
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
02-20-2014 08:56 AM
Hi Jeremy,
No, I have no tried it yet. Can't seem to get a verification or second opinion and the only other commenter in this thread is M.I.A.
I found a cool tool called Packet Tracer that would help me enormously, but you need to be a Cisco academy student to obtain it (legally anyway). Sad that it isn't free to the community. Leaves people like me in the dust, and I don't like just asking someone else how to do something, I like to try things myself but all I have is production environments
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide