No announcement yet.

Cisco ASA 5510 configured 3 inside interface

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA 5510 configured 3 inside interface

    I have a problem with my cisco asa 5510 i configure 3 (dept 01,dept02,dept03)inside interface with two are the same security level of 100 and 1 dept01 is 50.

    dept02,03 can access dept01 all the shared files on the server is accessible but when i run the program foxpro from dept02 that has a database server on dept 01 it has an error of invalid seek offset.

    Can someone help me with this and check my configuration.

    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password *************************
    passwd *****************

    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/1
    nameif DEPT01
    security-level 50
    ip address
    interface Ethernet0/2
    nameif DEPT02
    security-level 90
    ip address
    interface Ethernet0/3
    nameif DEPT03
    security-level 100
    ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address
    regex urllist1 ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt])HTTP/1.[01]"
    regex urllist2 ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh])HTTP/1.[01]"
    regex urllist3 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz])HTTP/1.[01]"
    regex NBAblock ".*NBA.*"
    regex domainlist1 "\.yahoo\.com"
    regex domainlist2 "\.myspace\.com"
    regex domainlist3 "\.youtube\.com"
    regex domainlist4 ".*facebook.*"
    regex domainlist5 ".*twitter.*"
    regex domainlist6 ".*job.*"
    regex domainlist7 ".*workabroad.*"
    regex nba ".*nba.*"
    regex Urlist4 ".*\.([Dd][Oc][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt])HTTP/1.[01]"
    regex applicationheader "application/.*"
    regex contenttype "Content-Type"
    time-range facebook
    absolute start 12:00 02 September 2012 end 13:00 02 September 2012
    periodic Monday Wednesday Thursday Friday Saturday Sunday 12:00 to 13:59
    ftp mode passive
    clock timezone PHST 8
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group network FandA
    network-object host NANETTE

    object-group service DM_INLINE_SERVICE_1
    service-object tcp-udp eq www
    service-object tcp eq https
    access-list DEPT01_mpc extended permit object-group TCPUDP object-group FandA any eq www time-range facebook
    access-list DEPT03_mpc extended permit object-group DM_INLINE_SERVICE_1 object-group Construction any
    access-list DEPT01_mpc_1 extended permit object-group TCPUDP object-group FandA any eq www
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu DEPT01 1500
    mtu DEPT02 1500
    mtu DEPT03 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (DEPT01) 1 interface
    nat (DEPT01) 1
    nat (DEPT02) 1
    nat (DEPT03) 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http management
    http DEPT03
    http DEPT01
    http DEPT02
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcp-client client-id interface outside
    dhcpd address management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username ARJIE password xiERNslRJCoH/IVk encrypted privilege 15
    username MAGD password MTRLD0NC.7FtrUHw encrypted privilege 15
    username borland password Gpg9PEIMdpW9o4HL encrypted privilege 15
    class-map DEPT03-class
    match access-list DEPT03_mpc
    class-map DEPT01-class
    match access-list DEPT01_mpc_1
    class-map type regex match-any Urllistblock
    match regex urllist2
    class-map type inspect http match-all BlockURLClass
    match request uri regex class Urllistblock
    class-map type regex match-any DomainBlocklist
    match regex domainlist3
    match regex NBAblock
    match regex nba
    class-map type inspect http match-all BlockDomainClass
    match request header host regex class DomainBlocklist
    class-map inspection_default
    match default-inspection-traffic
    class-map type inspect http match-all AppHeaderClass
    match request header regex contenttype regex applicationheader
    policy-map type inspect dns preset_dns_map
    message-length maximum client auto
    message-length maximum 512
    policy-map type inspect http HTTP_INSPCTION_POLICY
    protocol-violation action drop-connection
    match request method connect
    drop-connection log
    class AppHeaderClass
    drop-connection log
    class BlockDomainClass
    reset log
    class BlockURLClass
    reset log
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    policy-map DEPT01-policy
    class DEPT01-class
    inspect http HTTP_INSPCTION_POLICY
    policy-map DEPT03-policy
    class DEPT03-class
    inspect http HTTP_INSPCTION_POLICY
    service-policy global_policy global
    service-policy DEPT01-policy interface DEPT01
    service-policy DEPT03-policy interface DEPT03
    prompt hostname context
    no call-home reporting anonymous
    : end

  • #2
    Re: Cisco ASA 5510 configured 3 inside interface

    Remember on the ASA traffic from a higher security interface to a lower security interface is always allowed by default. Traffic from a lower to a higher is allowed only if permitted by an ACL. Looks like you have PAT configured on all 3 interfaces. You will need nat exemption statements or policy based nat for traffic between those interfaces. An easy way to trouble shoot a traffic flow on the ASA is by using packet tracer either from the cli or ASDM.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)