cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
151
Views
0
Helpful
1
Replies
Highlighted
Beginner

Test Environment

I have a test environement I am working on for some future needs.  Attached is the config on the ASA5520 that I am working with.  I need to be able to be plugged into the 10.14.101.0 network and communicate with the 10.14.105.0 and 10.14.107.0 networks.  I am unable to pass any traffic currently, was hoping somoene could take a look and see if anything jumps out at them.  Thanks!

: Saved
: Written by enable_15 at 13:46:57.127 UTC Wed Nov 7 2012
!
ASA Version 7.0(8)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
  description "TESTBOPS6500 Gi3/33"
  nameif DMZ
  security-level 35
  ip address 10.14.106.1 255.255.255.0
!
interface Ethernet0/1
  description "Internet - DSL"
  nameif outside
  security-level 0
  ip address xx.xx.xx.xx 255.255.255.224
!
interface Ethernet0/2
  description "Test Network CAT3500XL Fa0/1"
  no nameif
  no security-level
  no ip address
!
interface Ethernet0/2.101
  vlan 101
  nameif inside101
  security-level 100
  ip address 10.14.101.1 255.255.255.0
!
interface Ethernet0/2.107
  description "Test ESX Hosts"
  vlan 107
  nameif inside107
  security-level 100
  ip address 10.14.107.1 255.255.255.0
!
interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
!
ftp mode passive
object-group network Internal-Networks
  network-object 10.14.101.0 255.255.255.0
  network-object 10.14.107.0 255.255.255.0
access-list INSIDEACL extended permit ip 10.14.101.0 255.255.255.0 host 10.14.105.20
access-list INSIDEACL extended permit ip 10.14.101.0 255.255.255.0 host 10.14.105.2
access-list INSIDEACL extended permit ip 10.14.101.0 255.255.255.0 host 10.14.105.1
access-list INSIDEACL extended deny ip 10.14.101.0 255.255.255.0 10.14.105.0 255.255.255.0
access-list INSIDEACL extended permit ip 10.14.107.0 255.255.255.0 host 10.14.105.20
access-list INSIDEACL extended permit ip 10.14.107.0 255.255.255.0 host 10.14.105.1
access-list INSIDEACL extended permit ip 10.14.107.0 255.255.255.0 host 10.14.105.2
access-list INSIDEACL extended deny ip 10.14.107.0 255.255.255.0 10.14.105.0 255.255.255.0
access-list INSIDEACL extended permit ip 10.14.101.0 255.255.255.0 10.14.107.0 255.255.255.0
access-list INSIDEACL extended permit ip 10.14.107.0 255.255.255.0 10.14.101.0 255.255.255.0
access-list INSIDEACL extended permit ip any any
access-list DMZACL extended permit ip host 10.14.105.20 10.14.107.0 255.255.255.0
access-list DMZACL extended permit ip host 10.14.105.20 10.14.101.0 255.255.255.0
access-list DMZACL extended permit ip 10.14.106.0 255.255.255.0 10.14.101.0 255.255.255.0
access-list DMZACL extended permit ip 10.14.106.0 255.255.255.0 10.14.107.0 255.255.255.0
access-list DMZACL extended permit ip 10.14.105.0 255.255.255.0 10.14.107.0 255.255.255.0
access-list inside101_nat0 extended permit ip 10.14.101.0 255.255.255.0 10.14.107.0 255.255.255.0
access-list inside107_nat0 extended permit ip 10.14.107.0 255.255.255.0 10.14.101.0 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu DMZ 1500
mtu outside 1500
mtu inside101 1500
mtu inside107 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside101) 0 access-list inside101_nat0
nat (inside101) 1 10.14.101.0 255.255.255.0
nat (inside107) 0 access-list inside107_nat0
nat (inside107) 1 10.14.107.0 255.255.255.0
static (inside101,DMZ) 10.14.101.10 10.14.106.10 netmask 255.255.255.255
access-group DMZACL in interface DMZ
access-group INSIDEACL in interface inside101
access-group INSIDEACL in interface inside107
route DMZ 10.14.105.0 255.255.255.0 10.14.106.2 1
route outside 0.0.0.0 0.0.0.0 65.164.19.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
  match default-inspection-traffic
!
!
policy-map global_policy
  class inspection_default
   inspect dns maximum-length 512
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect rsh
   inspect rtsp
   inspect esmtp
   inspect sqlnet
   inspect skinny
   inspect sunrpc
   inspect xdmcp
   inspect sip
   inspect netbios
   inspect tftp
!
service-policy global_policy global
Cryptochecksum:ccd82c459528e6275072ddf1e0bfffe6
: end

1 REPLY 1
Highlighted
Beginner

Hello,

It looks like you are trying to allow traffic to go in and out of the same interface. By default, ASA's do not allow this. Please place this line in the config and test again:

(config)# same-security-traffic permit intra-interface

Joel

_______________________________
Please rate helpful posts and answered questions!

Joel _______________________________ Please rate helpful posts and answered questions!
Content for Community-Ad