Announcement

Collapse
No announcement yet.

Help Configuring allow traffic between interfaces Asa 5520

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help Configuring allow traffic between interfaces Asa 5520

    I have 3 interfaces configured on the ASA

    1 - WAN
    2 - Inside-MACC
    3 - Inside-META

    I cannot get the META and the MACC to communicate. I have enabled the allow traffic between interfaces with same security level. To no avail. Here is my config file
    hostname PV-ASA
    enable password yXf4lIH1Tu35utfz encrypted
    passwd yXf4lIH1Tu35utfz encrypted
    names
    !
    interface GigabitEthernet0/0
    nameif WAN
    security-level 0
    ip address 206.123.194.132 255.255.255.240
    !
    interface GigabitEthernet0/1
    nameif INSIDE-MACC
    security-level 20
    ip address 10.33.33.1 255.255.255.0
    !
    interface GigabitEthernet0/2
    nameif INSIDE-META
    security-level 20
    ip address 192.168.90.1 255.255.255.0
    !
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list MACC_access_in extended permit icmp any 192.168.90.0 255.255.255.0
    access-list MACC_access_in extended permit ip any any
    access-list META_access_in extended permit icmp any any
    access-list META_access_in extended permit ip any any
    access-list WAN_access_in extended permit icmp any any
    access-list WAN_access_in extended permit ip any any
    access-list MACC_access_in_1 extended permit ip interface INSIDE-MACC any
    access-list INSIDE-MACC_access_in extended permit ip 192.168.90.0 255.255.255.0 any
    access-list INSIDE-MACC_access_in extended permit ip any 192.168.90.0 255.255.255.0
    access-list INSIDE-MACC_access_in extended permit icmp any 192.168.90.0 255.255.255.0
    access-list INSIDE-MACC_access_in extended permit icmp any any
    access-list INSIDE-META_access_in extended permit ip 10.33.33.0 255.255.255.0 any
    access-list INSIDE-META_access_in extended permit tcp any any
    access-list INSIDE-META_access_in extended permit icmp any any
    pager lines 24
    logging asdm informational
    mtu management 1500
    mtu INSIDE-MACC 1500
    mtu INSIDE-META 1500
    mtu WAN 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (WAN) 101 interface
    nat (WAN) 101 0.0.0.0 0.0.0.0
    access-group INSIDE-MACC_access_in in interface INSIDE-MACC
    access-group INSIDE-META_access_in in interface INSIDE-META
    access-group WAN_access_in in interface WAN
    route WAN 0.0.0.0 0.0.0.0 206.123.194.129 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 0.0.0.0 0.0.0.0 management
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:f1ff8a6c23101bd8ac9896a02dbf6af7
    : end
    no asdm history enable
    Last edited by atlast925; 23rd June 2013, 18:58.

  • #2
    Re: Help Configuring allow traffic between interfaces Asa 5520

    As a test, temporarily remove the access-lists on both those interfaces and see if that works. Another option it to use packet tracer from the command line to see if the traffic between those interfaces is being filtered.

    If you look at your ACL's they are not configured correctly.

    Example:

    interface GigabitEthernet0/1
    nameif INSIDE-MACC
    security-level 20
    ip address 10.33.33.1 255.255.255.0

    access-list INSIDE-MACC_access_in extended permit ip 192.168.90.0 255.255.255.0 any
    access-list INSIDE-MACC_access_in extended permit ip any 192.168.90.0 255.255.255.0
    access-list INSIDE-MACC_access_in extended permit icmp any 192.168.90.0 255.255.255.0
    access-list INSIDE-MACC_access_in extended permit icmp any any

    access-group INSIDE-MACC_access_in in interface INSIDE-MACC

    This ACL says permit traffic sourced from 192.168.90.0/24 entering the gi0/1 interface going to anywhere. The problem is traffic will never be sourced from 192.168.90.0/24 as the network inside that interface is the 10.33.33.0/24 network. This ACL should be configured with the outbound direction on that interface and not the inbound.
    Last edited by auglan; 24th June 2013, 13:56.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment

    Working...
    X