Test Environment

sonitadmin · ‎11-08-2012

I have a test environement I am working on for some future needs. Attached is the config on the ASA5520 that I am working with. I need to be able to be plugged into the 10.14.101.0 network and communicate with the 10.14.105.0 and 10.14.107.0 networks. I am unable to pass any traffic currently, was hoping somoene could take a look and see if anything jumps out at them. Thanks!

: Saved
: Written by enable_15 at 13:46:57.127 UTC Wed Nov 7 2012
!
ASA Version 7.0(8)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
description "TESTBOPS6500 Gi3/33"
nameif DMZ
security-level 35
ip address 10.14.106.1 255.255.255.0
!
interface Ethernet0/1
description "Internet - DSL"
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.224
!
interface Ethernet0/2
description "Test Network CAT3500XL Fa0/1"
no nameif
no security-level
no ip address
!
interface Ethernet0/2.101
vlan 101
nameif inside101
security-level 100
ip address 10.14.101.1 255.255.255.0
!
interface Ethernet0/2.107
description "Test ESX Hosts"
vlan 107
nameif inside107
security-level 100
ip address 10.14.107.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object-group network Internal-Networks
network-object 10.14.101.0 255.255.255.0
network-object 10.14.107.0 255.255.255.0
access-list INSIDEACL extended permit ip 10.14.101.0 255.255.255.0 host 10.14.105.20
access-list INSIDEACL extended permit ip 10.14.101.0 255.255.255.0 host 10.14.105.2
access-list INSIDEACL extended permit ip 10.14.101.0 255.255.255.0 host 10.14.105.1
access-list INSIDEACL extended deny ip 10.14.101.0 255.255.255.0 10.14.105.0 255.255.255.0
access-list INSIDEACL extended permit ip 10.14.107.0 255.255.255.0 host 10.14.105.20
access-list INSIDEACL extended permit ip 10.14.107.0 255.255.255.0 host 10.14.105.1
access-list INSIDEACL extended permit ip 10.14.107.0 255.255.255.0 host 10.14.105.2
access-list INSIDEACL extended deny ip 10.14.107.0 255.255.255.0 10.14.105.0 255.255.255.0
access-list INSIDEACL extended permit ip 10.14.101.0 255.255.255.0 10.14.107.0 255.255.255.0
access-list INSIDEACL extended permit ip 10.14.107.0 255.255.255.0 10.14.101.0 255.255.255.0
access-list INSIDEACL extended permit ip any any
access-list DMZACL extended permit ip host 10.14.105.20 10.14.107.0 255.255.255.0
access-list DMZACL extended permit ip host 10.14.105.20 10.14.101.0 255.255.255.0
access-list DMZACL extended permit ip 10.14.106.0 255.255.255.0 10.14.101.0 255.255.255.0
access-list DMZACL extended permit ip 10.14.106.0 255.255.255.0 10.14.107.0 255.255.255.0
access-list DMZACL extended permit ip 10.14.105.0 255.255.255.0 10.14.107.0 255.255.255.0
access-list inside101_nat0 extended permit ip 10.14.101.0 255.255.255.0 10.14.107.0 255.255.255.0
access-list inside107_nat0 extended permit ip 10.14.107.0 255.255.255.0 10.14.101.0 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu DMZ 1500
mtu outside 1500
mtu inside101 1500
mtu inside107 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside101) 0 access-list inside101_nat0
nat (inside101) 1 10.14.101.0 255.255.255.0
nat (inside107) 0 access-list inside107_nat0
nat (inside107) 1 10.14.107.0 255.255.255.0
static (inside101,DMZ) 10.14.101.10 10.14.106.10 netmask 255.255.255.255
access-group DMZACL in interface DMZ
access-group INSIDEACL in interface inside101
access-group INSIDEACL in interface inside107
route DMZ 10.14.105.0 255.255.255.0 10.14.106.2 1
route outside 0.0.0.0 0.0.0.0 65.164.19.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
   inspect dns maximum-length 512
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect rsh
   inspect rtsp
   inspect esmtp
   inspect sqlnet
   inspect skinny
   inspect sunrpc
   inspect xdmcp
   inspect sip
   inspect netbios
   inspect tftp
!
service-policy global_policy global
Cryptochecksum:ccd82c459528e6275072ddf1e0bfffe6
: end

joelgooding · ‎11-15-2012

Hello,

It looks like you are trying to allow traffic to go in and out of the same interface. By default, ASA's do not allow this. Please place this line in the config and test again:

(config)# same-security-traffic permit intra-interface

Joel

_______________________________
Please rate helpful posts and answered questions!

Joel _______________________________ Please rate helpful posts and answered questions!