ASA 5510 communication between inside interfaces(same security level) 1

[dgobe]

I'm new to the ASA and can't figure out how to communicate between two inside interfaces with the same security level.

I have two subnets directly connected to the ASA along with a connection to an ISP. So far I have been able to get both subnets connected to the Internet(with PAT) but I can't get them to communicate with each other. Can someone please take a look at the config and see what I'm missing? Thanks for any help!

: Saved
:
ASA Version 8.2(1) 
!
hostname router
domain-name router.local
enable password xxxxxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
 shutdown
!
interface Ethernet0/1
 nameif student1
 security-level 100
 ip address 192.168.222.1 255.255.255.0 
!
interface Ethernet0/2
 nameif isp
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/3
 nameif student2
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name router.local
same-security-traffic permit inter-interface
pager lines 22
logging asdm informational
mtu student1 1500
mtu isp 1500
mtu student2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (isp) 1 interface
nat (student1) 1 192.168.222.0 255.255.255.0
nat (student2) 1 192.168.2.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http 192.168.2.0 255.255.255.0 student2
http 10.0.0.0 255.255.255.0 management
http 192.168.222.0 255.255.255.0 student1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.222.0 255.255.255.0 student1
ssh 192.168.2.0 255.255.255.0 student2
ssh 10.0.0.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcp-client client-id interface isp
dhcpd address 192.168.222.100-192.168.222.200 student1
dhcpd auto_config isp interface student1
dhcpd enable student1
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:1e94eb61fbc8a9da6ce2d3f4759f14c4
: end

 

[unclerico]

you need to bypass NAT. One of the following should work for you:

access-list student1_nonat extended permit ip 192.168.222.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list student2_nonat extended permit ip 192.168.2.0 255.255.255.0 1923.168.222.0 255.255.255.0

nat (student1) 0 access-list student1_nonat
nat (student2) 0 access-list student2_nonat

option #2:

static (student1,student2) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (student2,student1) 192.168.222.0 192.168.222.0 netmask 255.255.255.0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[dgobe]

Thanks unclerico!

I had messed around with identity NAT before but I don't think I hit the right incantation. Both of your suggestions work and I'm using option 1 currently.

You had the IP's in option 2 transposed, which is understandable. It should be:

static (student1,student2) 192.168.222.0 192.168.222.0 netmask 255.255.255.0
static (student2,student1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Thanks again, much appreciated.

How much you wanna make a bet I can throw a football over them mountains?

 

[unclerico]

good catch there dgobe...your throwing arm is admirable i'm sure, but i've got nunchuck skills and computer hacking skills and i'm pretty good with a bo staff ;-)

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[dgobe]

Aw snap! I changed one of the subnets and the ISP config on the above scenario and now it doesn't work.

I reduced the setup to just two computers with one connected to student and the other connected to student2. Both had a static IP and their gateways were pointed at the respective ASA interface. The isp interface was functioning properly and both computers were able to access the Internet. Much to my chagrin, I can't make the student and student2 subnets talk to each other.

Can anyone spot a problem? I tried both of the NAT exemption methods above...starting to think something is up with this particular unit.

: Saved
:
ASA Version 8.2(1) 
!
hostname router
domain-name router.local
names
dns-guard
!
interface Ethernet0/0
 nameif isp
 security-level 0
 ip address x.x.x.x 255.255.255.240 
!
interface Ethernet0/1
 nameif student
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 nameif student2
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name router.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 22
logging asdm informational
mtu isp 1500
mtu student 1500
mtu student2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any student
icmp permit any student2
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (isp) 1 interface
nat (student) 1 192.168.1.0 255.255.255.0
nat (student2) 1 192.168.2.0 255.255.255.0
static (student2,student) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 
static (student,student2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 
route isp 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http 192.168.2.0 255.255.255.0 student2
http 10.0.0.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 student2
ssh 10.0.0.0 255.255.255.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.43.244.18 source isp
ntp server 140.221.9.6 source isp prefer
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:2a8f340d9ca2c66e4fe7568769947bd3
: end

 

[unclerico]

so you can get to the internet from either interface, but any communication between the interfaces is not working??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[dgobe]

Yep, in fact I had both subnets connected and all the computers could get on the net. I just reduced it to eliminate any routing issues. I've disabled the Windows firewall on both computers(it's the only one installed).

When I try a TFTP get between the subnets(in either direction) the TFTPD server does show the client request and brings up the window showing it's transferring the file(several times) but the client just times out. It's like packets are passing through but not able to get back. At one point I put in ACE's that explicitly allowed IP from any to any on both interfaces. Both incoming and outgoing. Still no dice.

I've stared at the config for hours so I would kindly ask someone to take a look and see if I missed anything. If it looks good, it might be something with the ASA itself.

Thanks guys.

 

[unclerico]

I have to ask a seemingly stupid question, but are you sure that the host that was connected to the student1 (192.168.222.0/24) interface has the correct IP configuration??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[dgobe]

The 192.168.222.0 subnet was just used in a "test lab" setup. The second configuration I posted is the one that is in use now. The IP configurations on the workstations are valid, I can ping the directly connected ASA interface as well as surf the 'net. There are no static routes installed on the workstations either.

If the config looks good I'll assume something is going on with the unit. I might try loading the older version of the boot image to see what happens.