Hello ServerFault,
I am needing help in the configuration process of my Cisco ASA 5510. I have set up 4 Cisco ASA interconnected together via a big LAN. Each Cisco ASA has 3 or 4 LANs attached to them. The IP routing part is taken care of by OSPF. My problem is on another level.
A computer connected to one of the LANs attached to an ASA has no problem communicating with the outside world. The outside world being anything "after" the ASA. My problem is that I am completely unable to have them communicate with another LAN connected to the same ASA. To rephrase this, I am unable to send traffic from one interface of a given ASA to another interface of the same ASA.
My configuration is the following :
!
hostname Fuji
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0 no shutdown
!
interface Ethernet0/1
speed 100
duplex full
nameif cs4 no shutdown
security-level 100
ip address 10.1.4.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
no shutdown
!
interface Ethernet0/2.15 vlan 15
nameif cs5
security-level 100
ip address 10.1.5.1 255.255.255.0
!
interface Ethernet0/2.16 vlan 16
nameif cs6
security-level 100
ip address 10.1.6.1 255.255.255.0
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 10.6.0.252 255.255.255.0
!
access-list nat_cs4 extended permit ip 10.1.4.0 255.255.255.0 any
access-list acl_cs4 extended permit ip 10.1.4.0 255.255.255.0 any
access-list nat_cs5 extended permit ip 10.1.5.0 255.255.255.0 any
access-list acl_cs5 extended permit ip 10.1.5.0 255.255.255.0 any
access-list nat_cs6 extended permit ip 10.1.6.0 255.255.255.0 any
access-list acl_cs6 extended permit ip 10.1.6.0 255.255.255.0 any
!
access-list nat_outside extended permit ip any any
access-list acl_outside extended permit ip any 10.1.4.0 255.255.255.0
access-list acl_outside extended permit ip any 10.1.5.0 255.255.255.0
access-list acl_outside extended permit ip any 10.1.6.0 255.255.255.0
!
nat (outside) 0 access-list nat_outside
nat (cs4) 0 access-list nat_cs4
nat (cs5) 0 access-list nat_cs5
nat (cs6) 0 access-list nat_cs6
!
static (outside,cs4) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
static (outside,cs5) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
static (outside,cs6) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
!
static (cs4,outside) 10.1.4.0 10.1.4.0 netmask 255.255.255.0
static (cs4,cs5) 10.1.4.0 10.1.4.0 netmask 255.255.255.0
static (cs4,cs6) 10.1.4.0 10.1.4.0 netmask 255.255.255.0
!
static (cs5,outside) 10.1.5.0 10.1.5.0 netmask 255.255.255.0
static (cs5,cs4) 10.1.5.0 10.1.5.0 netmask 255.255.255.0
static (cs5,cs6) 10.1.5.0 10.1.5.0 netmask 255.255.255.0
!
static (cs6,outside) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
static (cs6,cs4) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
static (cs6,cs5) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
!
access-group acl_outside in interface outside
access-group acl_cs4 in interface cs4
access-group acl_cs5 in interface cs5
access-group acl_cs6 in interface cs6
!
router ospf 1
network 10.0.0.0 255.255.255.0 area 1
network 10.1.4.0 255.255.255.0 area 1
network 10.1.5.0 255.255.255.0 area 1
network 10.1.6.0 255.255.255.0 area 1
log-adj-changes
!
There is nothing really complicated in this configuration. It just NATs from one interface to another and that's it. I have tried enabling same-security-traffic permit inter-interface but that doesn't help.
I therefore must be missing something a little bit more complicated. Does anyone know why I cannot foward traffic from one interface to another ?
Thank you in advance for your help,
Antoine
-
Add
same-security-traffic permit inter-interfacein your configuration Interface with the same security level can't communicate with each other without this command.Antoine Benkemoun : As I specified in my post, I have tried that and it doesn't help.radius : Oups sorry, I missed that, did you try removing static between CSx ? Did you try with different level on interfaces ?Antoine Benkemoun : Removing the statics don't help... I'm planning another lab session Tuesday, we'll see how it goes then.From radius -
I finally got this fixed ! I was doing way too much NAT. I deactivated nat-control, allowed same-security-level communication and got rid of most of the Nat stuff.
Below is my working config.
! hostname Fuji ! interface Ethernet0/0 speed 100 duplex full nameif outside security-level 0 ip address 10.0.0.2 255.255.255.0 no shutdown ! interface Ethernet0/1 speed 100 duplex full nameif cs4 no shutdown security-level 100 ip address 10.1.4.1 255.255.255.0 ! interface Ethernet0/2 speed 100 duplex full no shutdown ! interface Ethernet0/2.15 vlan 15 nameif cs5 security-level 100 ip address 10.1.5.1 255.255.255.0 ! interface Ethernet0/2.16 vlan 16 nameif cs6 security-level 100 ip address 10.1.6.1 255.255.255.0 ! interface Management0/0 speed 100 duplex full nameif management security-level 100 ip address 10.6.0.252 255.255.255.0 ! same-security-traffic permit inter-interface no nat-control ! access-list acl_cs4 extended permit ip 10.1.4.0 255.255.255.0 any access-list acl_cs5 extended permit ip 10.1.5.0 255.255.255.0 any access-list acl_cs6 extended permit ip 10.1.6.0 255.255.255.0 any ! access-list acl_outside extended permit ip any 10.1.4.0 255.255.255.0 access-list acl_outside extended permit ip any 10.1.5.0 255.255.255.0 access-list acl_outside extended permit ip any 10.1.6.0 255.255.255.0 ! static (outside,cs4) 0.0.0.0 0.0.0.0 netmask 0.0.0.0 static (outside,cs5) 0.0.0.0 0.0.0.0 netmask 0.0.0.0 static (outside,cs6) 0.0.0.0 0.0.0.0 netmask 0.0.0.0 ! access-group acl_outside in interface outside access-group acl_cs4 in interface cs4 access-group acl_cs5 in interface cs5 access-group acl_cs6 in interface cs6 ! router ospf 1 network 10.0.0.0 255.255.255.0 area 1 network 10.1.4.0 255.255.255.0 area 1 network 10.1.5.0 255.255.255.0 area 1 network 10.1.6.0 255.255.255.0 area 1 log-adj-changes !From Antoine Benkemoun
0 comments:
Post a Comment