×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Interinterface traffic not allowed with same security levels

Interinterface traffic not allowed with same security levels

Interinterface traffic not allowed with same security levels

(OP)
We have 8 subinterfaces (VLANS) configured on a ASA 5550. We are essentially using the ASA to route between the VLANS.  Our admin vlan traffic is being blocked going to other interfaces by the implicit Deny ACL. Other vlans with the same security levels are able to talk between each other.  We would like to change the security levels on each vlan to an appropriate level based on vlan function.  However, I'd like the ASA to behave the way it's supposed to before I move forward with our finale configuration.  Our institution owns a Class B IP range so we are not doing any NAT. Config below...

ASA Version 8.0(3)19
!
hostname uwcxdcasa
domain-name uwex.uwc.edu
!
interface GigabitEthernet0/0
 description Outside
 speed 1000
 duplex full
 nameif outside
 security-level 0
 ip address 143.x.x.254 255.255.255.0
!
interface GigabitEthernet0/1
 description Inside
 speed 1000
 duplex full
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.1428
 description admin_inside on vlan 1428
 vlan 1428
 nameif admin_inside
 security-level 100
 ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1429
 description backup_inside on vlan 1429
 vlan 1429
 nameif backup_inside
 security-level 100
 ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1430
 description dev_inside on vlan 1430
 vlan 1430
 nameif dev_inside
 security-level 75
 ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1431
 description test_inside on vlan 1431
 vlan 1431
 nameif test_inside
 security-level 100
 ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1432
 description prodweb_inside on vlan 1432
 vlan 1432
 nameif prodweb_inside
 security-level 100
 ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1433
 description proddb_inside on vlan 1433
 vlan 1433
 nameif proddb_inside
 security-level 100
 ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1434
 description proddata_inside on vlan 1434
 vlan 1434
 nameif proddata_inside
 security-level 100
 ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1435
 description dmzservices_inside on vlan 1435
 vlan 1435
 nameif dmzservices_inside
 security-level 50
 ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa803-19-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name uwex.uwc.edu
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network TechOps
 description Technical Operations Information Technology Group
 network-object host cchrisinger
 network-object host pgillett_1
 network-object host ddingman_1
 network-object host ddingman_2
 network-object host ddingman_4
 network-object host ddingman_3
 network-object host pwilliams_1
 network-object host pwilliams_2
 network-object host phart_1
 network-object host blabuda_3
 network-object host phart_2
 network-object host pgillett_2
 network-object host jmagill_1
 network-object host blabuda_2
 network-object host blabuda_1
 network-object host adm-hartp
object-group service default_inside_access_out
 description VLAN default inside to outside access for servers
 service-object tcp eq www
 service-object tcp eq https
 service-object tcp-udp eq domain
 service-object tcp eq ssh
 service-object tcp eq ftp
 service-object tcp eq ftp-data
object-group network DM_INLINE_NETWORK_1
 network-object 143.x.x.0 255.255.255.0
 network-object 143.x.x.0 255.255.255.0
 network-object 143.x.x.0 255.255.255.0
 network-object 143.x.x.0 255.255.255.0
 network-object 143.x.x.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object UWMADCAMP2 255.255.0.0
 network-object UWMADCAMP1 255.255.0.0
object-group service BuckyBackup
 description ASDM Bucky Backup Ports
 service-object tcp-udp range 1499 1503
object-group network DM_INLINE_NETWORK_4
 network-object 143.x.x.0 255.255.255.0
 network-object 143.x.x.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
 port-object eq ssh
object-group service DM_INLINE_TCP_2 tcp
 port-object eq ldap
 port-object eq ldaps
object-group network DM_INLINE_NETWORK_3
 network-object 10.0.0.0 255.240.0.0
 network-object UWMADCAMP2 255.255.0.0
 network-object 143.x.x.0 255.255.0.0
 network-object UWMADCAMP1 255.255.0.0
object-group network DM_INLINE_NETWORK_6
 network-object UWMADCAMP2 255.255.0.0
 network-object UWC_Central 255.255.240.0
 network-object UWMADCAMP1 255.255.0.0
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 group-object BuckyBackup
 group-object default_inside_access_out
object-group network bb.uwex.uwc.edu
 description big brother
 network-object host bb.uwex.edu
 network-object host bb.uwc.edu
object-group network DM_INLINE_NETWORK_5
 network-object 10.0.0.0 255.240.0.0
 network-object UWEX_Subnet 255.255.252.0
 network-object uwcx_lakeasa 255.255.255.128
object-group service DM_INLINE_TCP_6 tcp
 port-object eq www
 port-object eq https
object-group service google-admin tcp
 description google appliance administration ports
 port-object eq 8000
 port-object eq 8443
access-list admin_inside_access_in extended permit icmp any any
access-list admin_inside_access_in remark Allow IP out to other server rooms
access-list admin_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list admin_inside_access_in remark Allow IP out to manage google
access-list admin_inside_access_in extended permit tcp 143.x.x.0 255.255.255.0 host google.uwex.uwc.edu object-group google-admin
access-list admin_inside_access_in remark Allow IP out to other server rooms
access-list admin_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group DM_INLINE_NETWORK_5
access-list admin_inside_access_in remark Allow default Internet Access
access-list admin_inside_access_in extended permit object-group default_inside_access_out any any
access-list admin_inside_access_in remark Allow Bucky Backup Access outbound
access-list admin_inside_access_in extended permit object-group BuckyBackup any any
access-list outside_access_in remark Allow ICMP packets to all vlans
access-list outside_access_in extended permit icmp object-group DM_INLINE_NETWORK_3 any
access-list outside_access_in remark Allow Big Brother monitoring
access-list outside_access_in extended permit ip object-group bb.uwex.uwc.edu any
access-list outside_access_in remark Enable Bucky Backup to DataCenter servers
access-list outside_access_in extended permit object-group BuckyBackup object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_4
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host dns1.uwex.uwc.edu eq domain
access-list outside_access_in remark Allow http, https, and ssh to citpweb01
access-list outside_access_in extended permit tcp any host citpweb01 object-group DM_INLINE_TCP_1
access-list outside_access_in remark Allow http and https to citpapps01-ezproxy
access-list outside_access_in extended permit tcp any host citpapps01-ezproxy object-group DM_INLINE_TCP_5
access-list outside_access_in remark Allow http and https to google-mini
access-list outside_access_in extended permit tcp any host google.uwex.uwc.edu object-group DM_INLINE_TCP_6
access-list outside_access_in remark Allow TechOps remote desktop access
access-list outside_access_in extended permit tcp UWC_Central 255.255.240.0 host citpapp02.uwc.edu eq 3389
access-list outside_access_in remark Allow http and https access to servicecenter
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host citpapp02.uwc.edu object-group DM_INLINE_TCP_3
access-list outside_access_in remark Allow Test access for ONL to test Website
access-list outside_access_in extended permit tcp ONL-Subnet 255.255.255.0 host citweb01-test eq www
access-list test_inside_access_in remark Allow IP out to other server rooms
access-list test_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list test_inside_access_in remark Allow default Internet Access
access-list test_inside_access_in extended permit object-group default_inside_access_out any any
access-list test_inside_access_in remark Allow Bucky Backup Access outbound
access-list test_inside_access_in extended permit object-group BuckyBackup any any
access-list test_inside_access_in extended permit icmp any any
access-list proddata_inside_access_in remark Allow IP out to other server rooms
access-list proddata_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list proddata_inside_access_in extended permit icmp any any
access-list dev_inside_access_in remark Allow IP out to other server rooms
access-list dev_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list dev_inside_access_in extended permit object-group DM_INLINE_SERVICE_1 143.235.4.0 255.255.255.0 any
access-list dev_inside_access_in extended permit icmp any any
access-list proddb_inisde_access_in remark Allow IP out to other server rooms
access-list proddb_inisde_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list proddb_inisde_access_in extended permit ip any any
access-list proddb_inisde_access_in extended permit icmp any any
access-list backup_inside_access_in remark Allow IP out to other server rooms
access-list backup_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list backup_inside_access_in extended permit icmp any any
access-list dmzservices_inside_access_in remark Allow IP out to other server rooms
access-list dmzservices_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list dmzservices_inside_access_in extended permit icmp any any
access-list prodweb_inside_access_in extended permit icmp any any
access-list prodweb_inside_access_in remark Allow IP out to other server rooms
access-list prodweb_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list prodweb_inside_access_in remark Allow default Internet Access
access-list prodweb_inside_access_in extended permit object-group default_inside_access_out any any
access-list prodweb_inside_access_in remark Allow Bucky Backup Access outbound
access-list prodweb_inside_access_in extended permit object-group BuckyBackup any any
access-list prodweb_inside_access_in remark connection to mysql.uwex.edu
access-list prodweb_inside_access_in extended permit tcp host citpweb01 host mysql.uwex.edu eq 3306
access-list prodweb_inside_access_in remark LDAPS and LDAP Connection to UWCDC1
access-list prodweb_inside_access_in extended permit tcp host citpweb01 host uwcdc1.uwc.edu object-group DM_INLINE_TCP_2
access-list admin_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list admin_inside_nat0_outbound remark Allow TechOps Access to Data Center Administration VLAN
access-list admin_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 object-group TechOps
access-list admin_inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 uwcx_lakeasa 255.255.255.128
access-list dev_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list dev_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list test_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list test_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list proddb_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list proddb_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list proddata_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list proddata_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list outside_1_cryptomap extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list outside_1_cryptomap extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list outside_1_cryptomap extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list outside_1_cryptomap extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list outside_1_cryptomap extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list outside_2_cryptomap extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list outside_2_cryptomap extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list outside_2_cryptomap extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list outside_2_cryptomap extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list outside_2_cryptomap extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list outside_4_cryptomap extended permit ip 143.x.x.0 255.255.255.0 uwcx_lakeasa 255.255.255.128
access-list outside_4_cryptomap extended permit ip 143.x.x.0 255.255.255.0 uwcx_lakeasa 255.255.255.128
access-list outside_4_cryptomap extended permit ip 143.x.x.0 255.255.255.0 uwcx_lakeasa 255.255.255.128
access-list outside_4_cryptomap extended permit ip 143.x.x.0 255.255.255.0 uwcx_lakeasa 255.255.255.128
access-list outside_4_cryptomap extended permit ip 143.x.x.0 255.255.255.0 uwcx_lakeasa 255.255.255.128
pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging host admin_inside 128.x.x.250
mtu outside 1500
mtu admin_inside 1500
mtu backup_inside 1500
mtu dev_inside 1500
mtu test_inside 1500
mtu prodweb_inside 1500
mtu proddb_inside 1500
mtu proddata_inside 1500
mtu dmzservices_inside 1500
ip local pool vpnpool 172.17.1.100-172.17.1.199 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface admin_inside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any admin_inside
icmp permit any backup_inside
asdm image disk0:/asdm-60360.bin
no asdm history enable
arp timeout 14400
nat (admin_inside) 0 access-list admin_inside_nat0_outbound
nat (dev_inside) 0 access-list dev_inside_nat0_outbound
nat (test_inside) 0 access-list test_inside_nat0_outbound
nat (proddb_inside) 0 access-list proddb_inside_nat0_outbound
nat (proddata_inside) 0 access-list proddata_inside_nat0_outbound
static (backup_inside,outside) 143.x.x.0 143.x.x.0 netmask 255.255.255.0
static (proddb_inside,outside) 143.x.x.0 143.x.x.0 netmask 255.255.255.0
static (dmzservices_inside,outside) 143.x.x.0 143.x.x.0 netmask 255.255.255.0
static (admin_inside,outside) eva.uwex.uwc.edu eva.uwex.uwc.edu netmask 255.255.255.255
static (admin_inside,outside) sim.uwex.uwc.edu sim.uwex.uwc.edu netmask 255.255.255.255
static (admin_inside,outside) citpdc01.uwc.edu citpdc01.uwc.edu netmask 255.255.255.255
static (admin_inside,outside) APC_ISX APC_ISX netmask 255.255.255.255
static (admin_inside,outside) Cory_Temp Cory_Temp netmask 255.255.255.255
static (prodweb_inside,outside) citpweb01 citpweb01 netmask 255.255.255.255
static (admin_inside,outside) Cisco_3020-b Cisco_3020-b netmask 255.255.255.255
static (prodweb_inside,outside) citpapp02.uwc.edu citpapp02.uwc.edu netmask 255.255.255.255
static (admin_inside,outside) dns.uwex.uwc.edu dns.uwex.uwc.edu netmask 255.255.255.255
static (proddata_inside,outside) citpapps01-ezproxy citpapps01-ezproxy netmask 255.255.255.255
static (proddata_inside,outside) citpsps01.uwc.edu citpsps01.uwc.edu netmask 255.255.255.255
static (test_inside,outside) citdf801.uwc.edu citdf801.uwc.edu netmask 255.255.255.255
static (test_inside,outside) citpsps02.uwc.edu citpsps02.uwc.edu netmask 255.255.255.255
static (dev_inside,outside) citdvems01.uwc.edu citdvems01.uwc.edu netmask 255.255.255.255
static (test_inside,outside) citweb01-test citweb01-test netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group admin_inside_access_in in interface admin_inside
access-group backup_inside_access_in in interface backup_inside
access-group dev_inside_access_in in interface dev_inside
access-group test_inside_access_in in interface test_inside
access-group prodweb_inside_access_in in interface prodweb_inside
access-group proddb_inisde_access_in in interface proddb_inside
access-group proddata_inside_access_in in interface proddata_inside
access-group dmzservices_inside_access_in in interface dmzservices_inside
route outside 0.0.0.0 0.0.0.0 143.x.x.1 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 143.x.x.51 255.255.255.255 outside
http 143.x.x.91 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 admin_inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 128.x.x.5
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 143.x.x.1
crypto map outside_map 2 set transform-set ESP-DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 128.x.x.6
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 4 set security-association lifetime seconds 28800
crypto map outside_map 4 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 143.x.x.91 255.255.255.255 outside
ssh 143.x.x.51 255.255.255.255 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access admin_inside
!
threat-detection basic-threat
threat-detection statistics
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec
group-policy uwcxremotevpn internal
group-policy uwcxremotevpn attributes
 dns-server value 128.x.x.254
 vpn-tunnel-protocol IPSec
 default-domain value uwex.uwc.edu
username uwcx-monitor password Vg8fWBXiKbD408bU encrypted privilege 13
username uwcx-security password CGpcr.GLhmjrEHy5 encrypted privilege 15
tunnel-group 128.x.x.5 type ipsec-l2l
tunnel-group 128.x.x.5 ipsec-attributes
 pre-shared-key *
tunnel-group 128.x.x.6 type ipsec-l2l
tunnel-group 128.x.x.6 ipsec-attributes
 pre-shared-key *
tunnel-group 143.x.x.1 type ipsec-l2l
tunnel-group 143.x.x.1 ipsec-attributes
 pre-shared-key *
tunnel-group uwcxremotevpn type remote-access
tunnel-group uwcxremotevpn general-attributes
 address-pool vpnpool
 default-group-policy uwcxremotevpn
tunnel-group uwcxremotevpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4b00cd7bb367732a75e84938a931de7e
: end
asdm image disk0:/asdm-60360.bin

no asdm history enable
 

RE: Interinterface traffic not allowed with same security levels

The only permits I see are between the individual subnets and the object-group bb.uwex.uwc.edu. Are you not able to ping between the VLAN's either?? Sorry, there's a lot going on in that config

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

RE: Interinterface traffic not allowed with same security levels

Can you give a specific instance of a traffic flow that is being blocked? Need to see if it's blocked by an ACL anywhere that was not anticipated.

I see you are doing syslog to a server - define the flow and see where it balks from the log.

Later on you will want to change this
logging trap informational
to a lower level - You look like you have a lot of traffic and that's a serious performance hit.

Also - because of your class B and masking the middle 2 octets (usually very sound advice) it makes it hard to see how you have subnetted. Masking the first 2 would have been easier to see what's going on. For next time post with a letter substitute so you don't give away your network but people can conceptually get an idea of what goes where- eg

interface GigabitEthernet0/1.1428
 description admin_inside on vlan 1428
 vlan 1428
 nameif admin_inside
 security-level 100
 ip address 143.x.A.1 255.255.255.0
!
interface GigabitEthernet0/1.1429
 description backup_inside on vlan 1429
 vlan 1429
 nameif backup_inside
 security-level 100
 ip address 143.x.B.1 255.255.255.0
!
interface GigabitEthernet0/1.1430
 description dev_inside on vlan 1430
 vlan 1430
 nameif dev_inside
 security-level 75
 ip address 143.x.C.1 255.255.255.0
!
etc.


Last bit of unwanted advice (i promise) later you will want to move some vlans to a different port. The single gig speed will become the bottleneck on your network doing all the intervlan routing. Let some of the other unused interfaces do some work and you will have a much smoother network.
 

Brent
Systems Engineer / Consultant
CCNP, CCSP

RE: Interinterface traffic not allowed with same security levels

(OP)
I'll give a for instance.  If I am on a server on VLAN 1428, and try to RDP to another server on VLAN 1433 the traffic is blocked.  If I am on a server on VLAN 1433 and try to RDP to a server on 1431, the connection works just fine.  All three of these VLANS are Security Level 100 and I have the same-security-traffic permit inter-interface command turned on.  The same is true if I'm on VLAN 1433 and I try and RDP to a server on VLAN 1428, the connection works.  The issue is specific to outbound traffic from VLAN 1428. There is an ACL that allows some default outbound traffic from 1428, such as http, https, ssh, and couple others.  The traffic define by that ACL works fine, however everything else is being denied by the Implicit Deny on that specific subinterface.

RE: Interinterface traffic not allowed with same security levels

If you allow all traffic from the admin vlan (permit ip any any as the last statement in that interface acl) does your rdp now work?

This ACL allows everything from vlan 1433 -
access-list proddb_inisde_access_in remark Allow IP out to other server rooms
access-list proddb_inisde_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list proddb_inisde_access_in extended permit ip any any
access-list proddb_inisde_access_in extended permit icmp any any

Your vlan 1428 acl does not have that statement in it. What are the hit counts your ace's and where are they incrementing?
 

Brent
Systems Engineer / Consultant
CCNP, CCSP

RE: Interinterface traffic not allowed with same security levels

Perhaps I'm being too simple minded here, but you just need to make changes to your admin_inside_access_in ACL. In your example you gave, add an ACE for permit tcp 3389  

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

RE: Interinterface traffic not allowed with same security levels

(OP)
Your are right.  I guess I might not be understanding how the same-security-traffic permit inter-interface command works.  My understanding is that as long as I have the same-security-traffic permit inter-interface command active traffic should be allowed between interfaces at the same security levels.  Traffic from VLAN 1428 does not comply with that rule, nor does it allow traffic to freely flow to an interface with a lower sec level such as 1430.  Hey if all I need to do is write Ace's I'm happy to do that, I just want to make sure that traffic is moving the way it should be and the way that I expect it will.  Thanks for all the suggestions guys.

Are there many people running their ASA's this way?  We have to do this because of our LAN is handled.  I understand that having a Layer 3 device handling this is probably a better way to go, but unfortunately that can't be done here.

RE: Interinterface traffic not allowed with same security levels

The same-security-traffic permit inter-interface will pass traffic for interfaces with the same security levels. However, ACL's will inhibit this communication.

Sure, there are people taht run like this. A better and more scalable solution would be to use each physical interface on the ASA or incorporate a L3 switch into the mix. There's no real right or wrong way. You need to make adjustments according to your traffic patters and link usage.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

RE: Interinterface traffic not allowed with same security levels

(OP)
Ok, so what takes presidence the implicit Deny on each interface or the same-security-traffic permit inter-interface command.  The same-security-traffic permit inter-interface command is technically applied first in the config.

RE: Interinterface traffic not allowed with same security levels

ACL's are pretty much the first thing checked so your deny would take precedence

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

RE: Interinterface traffic not allowed with same security levels

For same-security in the absence of interface ACLs all traffic is allowed. As soon as you apply an ACL you have to explicitly allow everything you want or it will get caught in the implicit "deny ip any any."

It's good form to put the "deny ip any any" at the end of your ACLs for clarity and so that you can watch the counters.
 

Brent
Systems Engineer / Consultant
CCNP, CCSP

RE: Interinterface traffic not allowed with same security levels

(OP)
Wanted to thank everyone for their help. We were able to get things straightened out on our ASA 5550. I have another 5550 we are going to be using as the passive failover.  I plan to redistribute the VLAN's across more interfaces in the near future, thanks for the tip.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close