cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1573
Views
0
Helpful
16
Replies

One LAN per interface - not communicating w/each other

Hello,

I have a Cisco ASA 5510 and we're only using two of the ports on it -- one for LAN and one for WAN. If I assign a third port 192.168.200.1, how to I get computers I plug into that port to communicate with the other LAN port (192.168.100.1)? Just set them at the same security level? In ASDM, there is a checkbox at the bottom of the main "Interfaces" page that says "Enable traffic between two or more interfaces which are configured with same secu..." but it doesn't finish the sentence. I'm assuming it finishes with "security levels" but when I check that I can't ping an IP on one interface from the other one I just set up. (i.e. can't ping 192.168.100.123 from a computer on the 192.168.200.x interface). Am I missing something? Seems like a very self explanatory checkbox to me. Thanks!

ASA Version 8.2(2)

ASDM Version 6.2(1)

Firewall mode: Routed

License: Security Plus

Physical Interfaces: Unlimited

VLANS: 100

Speaking of VLANS. I don't see anywhere in ASDM that mentions VLANS. Because the version of ASDM I have, are those options just not available in it and they need to be configured by CLI only? I have seen other ASA's where I can assign VLANS to interfaces but don't have those options on mine.

1 Accepted Solution

Accepted Solutions

cadet alain
Mentor
Mentor

Hi,

change your default gateway back to same subnet IP of the ASA and use static nat identity like I posted above

like this

static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

test and if ping is still failing don't forget to disable windows firewall on the client

and if it still doesn't work try this

packet-tracer input inside icmp 192.168.100.30 8 0  192.168.200.30 detailed and post here

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

16 Replies 16

cadet alain
Mentor
Mentor

Hi,

post your running config.

yes if you want 2 interfaces with same security level to communicate you must check this box.

I rarely use ASDM to configure ASAs but in the CLI you can put interfaces in vlans without any problem and you should be able to do the same with ASDM.

You should be aware that windows hosts have a software firewall that may be blocking the ping, so you should first check this.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks Cadet.

The computers on the new LAN (eth0/2) are successfully getting an IP address from a Windows 2008 DHCP server on the original LAN (eth0/1) via DHCP relay.

Main network: 192.168.100.x/24 -- eth0/1

New network:  192.168.200.x/24 -- eth0/2

IP settings of a DHCP computer on the new network:

IP: 192.168.200.123 (random IP)

Subnet: 255.255.255.0

Gateway: 192.168.100.1

DNS 1: 192.168.100.2

DNS 2: 192.168.100.3

*Originally I was assigning 192.168.240.1 (the IP assigned to eth0/2) as the gateway for this network but then I thought, because these computers couldn't get internet, that they needed to be configured with the gateway of the "main" network on eth0/1. I don't understand how I can get an IP successfully, but cannot ping the very DHCP server that gave me the IP. ICMP is enabled.

Also, I ran sh run on the ASA and there is a ton of sensetive info (obviously). Is it not possible to explain what I need to do without me posting the entire running config?? Is there a term I can look up that will explain exactly what I want to do?

Hi,

-do these 2 interfaces possess same security-level ?

-is same-security-traffic permit inter-interface configured ?

-Are there any inbound ACL applied on these 2 interfaces ?

Can you try to configure static identity nat for communicating between these subnets like this:

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Also you must have  the default gateway on the same subnet so for 192.168.200.0/24
it must be 192.168.200.x

You can post your config and modify sensitive infos

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks for the quick response Cadet. Here is the config:

Result of the command: "sh run"

: Saved

:

ASA Version 8.2(2)

!

hostname c-pix-yay

domain-name domain.com

enable password encrypted

passwd encrypted

names

name 192.168.100.1 DHCP-Relay-Server description DHCP Relay Server for 200 subnet

!

interface Ethernet0/0

description from Fiber

speed 100

duplex full

nameif Fiber

security-level 0

ip address Fiber_IP 255.255.255.248

!

interface Ethernet0/1

description inside lan

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.100.252 255.255.255.0

!

interface Ethernet0/2

description inside wlan network

nameif inside-wlan

security-level 100

ip address 192.168.200.1 255.255.255.0

!

interface Ethernet0/3

description From comcrap

speed 100

shutdown

nameif comcrap

security-level 1

ip address 222.222.222.222 255.255.255.248

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.222.50 255.255.255.0

management-only

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup Fiber

dns domain-lookup inside

dns domain-lookup inside-wlan

dns domain-lookup comcrap

dns server-group DefaultDNS

name-server DHCP-Relay-Server

name-server 192.168.100.2

domain-name domain.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP tcp-udp

port-object eq

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service Asterisk-http-tcp

port-object eq

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 VPN_Connection_Profile_0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 AWS-VPC 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 100.100.100.0 255.255.255.0

access-list remotevpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

access-list remotevpn_splitTunnelAcl standard permit VPN_Connection_Profile_0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 VPN_Connection_Profile_0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 100.100.100.0 255.255.255.0 VPN_Connection_Profile_0 255.255.255.0

pager lines 10

logging enable

logging timestamp

logging trap warnings

logging asdm informational

logging from-address ASA5510@domain.com

logging recipient-address support@domain.com level critical

logging host inside 192.168.100.2

logging ftp-bufferwrap

mtu Fiber 1500

mtu inside 1500

mtu inside-wlan 1500

mtu comcrap 1500

mtu management 1500

ip local pool SSLVPN 100.100.100.1-100.100.100.250 mask 255.255.255.0

ip verify reverse-path interface Fiber

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (Fiber) 1 interface

global (comcrap) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface Fiber

route Fiber 0.0.0.0 0.0.0.0 111.111.111.111 1

route comcrap 0.0.0.0 0.0.0.0 222.222.222.222 10

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server AD protocol radius

aaa-server AD (inside) host server1

timeout 15

key

radius-common-pw

aaa-server AD (inside) host server2

key

radius-common-pw

aaa-server AD (inside) host server3

key

radius-common-pw

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http 192.168.1.0 255.255.255.0 management

http 192.168.2.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

snmp-server host inside 192.168.100.2 community

snmp-server host inside 192.168.100.2 community udp-port 161

no snmp-server location

no snmp-server contact

snmp-server community

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 123.123.123.123

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface Fiber

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=c-pix-yay

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate

  quit

crypto isakmp enable Fiber

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 123.123.123.0 255.255.255.0 comcr