1. Home
  2. Cisco Systems
  3. Passing traffic through an ASA

Passing traffic through an ASA

We have an ASA 5510 that's directly connected to three networks...

10.12.14.0/24, 10.15.30.0/24, and an external network. On the 10.12.14.0/24 subnet, there's also a 2811 router with a T1. Hosts in the 10.12.14.0/24 subnet have a default gateway of 10.12.14.254, which is the 2811 The 2811 has a static route to direct traffic destined for 10.15.30.0/24 to 10.12.14.253, the ASA. But hosts on 10.12.14.0/24 cannot access hosts on 10.15.30.0/24 Is there some specific ACL or something that needs to be set to allow this?

ntasa01# sh conf : Saved : Written by enable_15 at 06:34:16.732 PDT Thu Aug 2 2007 ! ASA Version 7.0(6) ! hostname ntasa01 enable password ****************** encrypted names name 192.168.70.0 ld_lan name 192.168.2.0 sd_lan name 10.12.1.0 ld_dmz name 10.12.2.0 ld_ras_lan name 10.3.4.0 sd_ras_lan name 10.15.20.0 nl_dmz name *************** ntmgw01-I name 10.12.14.0 nt_mgmt name 10.3.3.0 sd_dmz name 10.15.30.0 nt_dmz dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address **************** 255.255.255.0 standby ************** ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.15.30.1 255.255.255.0 standby 10.15.30.2 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 description LAN/STATE Failover Interface ! interface Management0/0 nameif management security-level 100 ip address 10.12.14.253 255.255.255.0 management-only ! passwd **************** encrypted ftp mode passive clock timezone PST -8 clock summer-time PDT recurring 2 Sun Mar 1:59 1 Sun Nov 3:00 access-list 200 extended permit tcp any host ntmgw01-I eq smtp access-list DMZ extended permit ip any any log access-list MGMT extended permit ip any any pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 failover failover lan unit secondary failover lan interface failover Ethernet0/3 failover link failover Ethernet0/3 failover interface ip failover 172.16.2.1 255.255.255.252 standby

172.16.2.2 asdm image disk0:/asdm506.bin no asdm history enable arp timeout 14400 global (outside) 1 *************** netmask 255.255.255.255 nat (inside) 1 nt_dmz 255.255.255.0 static (inside,outside) 10.15.30.193 *************** netmask 255.255.255.255 static (inside,outside) 10.15.30.194 *************** netmask 255.255.255.255 static (inside,outside) 10.15.30.228 ntmgw01-I netmask 255.255.255.255 access-group 200 in interface outside access-group DMZ in interface inside access-group MGMT in interface management route outside 0.0.0.0 0.0.0.0 ************** 1 route management sd_lan 255.255.255.0 10.12.14.254 1 route management sd_dmz 255.255.255.0 10.12.14.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute username admin password **************** encrypted privilege 15 aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 10.12.14.2 255.255.255.255 management http 192.168.2.192 255.255.255.255 management snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map dynmap 30 set transform-set ESP-3DES-MD5 telnet 192.168.2.192 255.255.255.255 management telnet 10.12.14.2 255.255.255.255 management telnet 192.168.2.116 255.255.255.255 management telnet timeout 15 ssh 192.168.2.116 255.255.255.255 management ssh 192.168.2.192 255.255.255.255 management ssh timeout 60 ssh version 2 console timeout 0 ntp server 192.168.2.2 ntp server 10.12.14.2 source management prefer Cryptochecksum:*********************************
Reply to
John Oliver
Loading thread data ...

Could this be related to the management interface..

You began by saying have an ASA 5510 that's directly connected to three networks, 10.12.14.0/24, 10.15.30.0/24, and an external network. Can we say you need this in routed firewall mode, and if we do , will this need to on the 10.12.14.0 network on its own interface not on a management interface? Are there limitations on it as management? Can you ping the interfaces of your own subnet then the one your targeting?

LC Skype: luchito.castro

Reply to
LCastro

Very likely.

IPs on the external network are NATed to addresses on the 10.15.30.0/24 subnet, the DMZ. So I do not believe that the ASA is specifically routing anything. But I assumed that anything that was in the routing table would be handled.

Reply to
John Oliver

snip

Hi.

Don't suppose it is to do with passing traffic between the same security interfaces is it. Have look at this:

formatting link
Allowing Communication Between Interfaces on the Same Security Level

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces provides the following benefits:

To enable interfaces on the same security level so that they can communicate with each other, enter the following command:

hostname(config)# same-security-traffic permit inter-interface

Regards

Darren

Reply to
darren green

The answer is that command mentioned for ASA(config)# same-security-traffic permit inter-interface

But to clear up the topics brought up which were not the solution: - If routing is being conducted anywhere through the ASA then this would not be due to routing not being enabled on the ASA. - The management interface has done everything I have ever made a normal interface do which includes being the stateful failover port. - If different security-levels were specified, static commands would have to permit the higher security to be accessible to the lower security. The method shown in this posting is the better example where both are at the same security level.

Reply to
Scott Perry

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.