Hello,
I have been trying to figure out an issue with a Cisco ASA 5515 on our isolated system. The topology is fairly simple in this network. We create a standalone network that does not connect to anything but similar systems through the interop 1,2, Handoff ports. In the topology, we have a FW at the boundary, which has the sole purpose of facilitating communication when we connect one system(fw, switch, and hosts) to another (because they all have the same internal private IP scheme, and we need the FW to NAT those IPs so that they can transfer information). That FW is connected to a switch, and then the L3 switch takes care of the rest of the L2 and L3 traffic (along with a vSwitch in a virtual portion of the topology that is unnaffected). The issue that I am having, is that if I were to connect a laptop to my outside interface and configure it with an ip in that network, for some reason, I can only ping into the 192.168.7.x network (the x.x.7.x being the natted verion of those IPs). But when I try to ping any of the other VLANs (10.0.7.X for example), I am unable to get a response. I am going to sanitize(at least as much as it matters. This is a private IP space used on a totally isolate system) and post our config file to give everyone a much better idea of what is going on than I currently have configured. I have tested a few different things that have not worked, like same-security-traffic permit inter (and intra)-interface.
I have found some limited success when pinging each individual VLAN when changing the default route in the switch from 0.0.0.0 0.0.0.0 192.168.109.3 to any variation of 0.0.0.0 0.0.0.0 10.X.0.3, but I can only ping the identified network from my "outside" laptop on interop1, 2 or Handoff. If I try to create specific static routes for each network, they all stop working.
Any advice, education, or direction is welcome and appreciated.
hostname asa5515r
enable password $
fips enable
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
no mac-address auto
!
interface GigabitEthernet0/0
no shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.100
description subinterface for vlan 100
vlan 100
nameif inside100
security-level 100
ip address 10.0.0.3 255.255.255.128
multicast boundary TN1XXXX
!
interface GigabitEthernet0/0.110
description subinterface for vlan 110
vlan 110
nameif inside110
security-level 100
ip address 10.50.0.3 255.255.255.128
multicast boundary TN1XXXX
!
interface GigabitEthernet0/0.200
description subinterface for vlan 200
vlan 200
nameif inside200
security-level 100
ip address 10.10.0.3 255.255.255.128
multicast boundary TN1XXXX
!
interface GigabitEthernet0/0.210
description subinterface for vlan 210
vlan 210
nameif inside210
security-level 100
ip address 10.60.0.3 255.255.255.128
multicast boundary TN1XXXX
!
interface GigabitEthernet0/0.700
description subinterface for vlan 700
vlan 700
nameif inside700
security-level 100
ip address 10.80.0.3 255.255.255.224
!
interface GigabitEthernet0/0.960
description subinterface for vlan 960
vlan 960
nameif inside960
security-level 100
ip address 192.168.109.3 255.255.255.0
!
interface GigabitEthernet0/0.963
description subinterface for vlan 963
vlan 963
nameif inside963
security-level 100
ip address 192.168.108.3 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/3
no shutdown
description outside interface for interop1
nameif Interop1
security-level 0
ip address 192.168.100.7 255.255.255.0
!
interface GigabitEthernet0/4
no shutdown
description outside interface for interop2
nameif Interop2
security-level 0
ip address 192.168.150.7 255.255.255.0
!
interface GigabitEthernet0/5
no shutdown
description outside interface for inner communication for system
nameif Handoff
security-level 0
ip address 192.168.250.7 255.255.255.0
!
interface Management0/0
management-only
shutdown
no nameif
security-level 0
no ip address
!
banner login words words words
boot system disk0:/asa9-12-3-12-smp-k8.bin
no ftp mode passive
!------------------------------------------------------------------------------
! Description - Nating for Interop1
!
object network inside100-mapped-Interop1
subnet 10.0.7.0 255.255.255.128
object network inside100-real-Interop1
subnet 10.0.0.0 255.255.255.128
nat (inside100,Interop1) static inside100-mapped-Interop1
object network inside110-mapped-Interop1
subnet 10.50.7.0 255.255.255.128
object network inside110-real-Interop1
subnet 10.50.0.0 255.255.255.128
nat (inside110,Interop1) static inside110-mapped-Interop1
object network inside200-mapped-Interop1
subnet 10.10.7.0 255.255.255.128
object network inside200-real-Interop1
subnet 10.10.0.0 255.255.255.128
nat (inside200,Interop1) static inside200-mapped-Interop1
object network inside210-mapped-Interop1
subnet 10.60.7.0 255.255.255.128
object network inside210-real-Interop1
subnet 10.60.0.0 255.255.255.128
nat (inside210,Interop1) static inside210-mapped-Interop1
object network inside700-mapped-Interop1
subnet 10.80.7.0 255.255.255.192
object network inside700-real-Interop1
subnet 10.80.0.0 255.255.255.192
nat (inside700,Interop1) static inside700-mapped-Interop1
object network inside960-mapped-Interop1
subnet 192.168.7.0 255.255.255.0
object network inside960-real-Interop1
subnet 192.168.109.0 255.255.255.0
nat (inside960,Interop1) static inside960-mapped-Interop1
!------------------------------------------------------------------------------
! Description - Nating for Intop2
!
object network inside100-mapped-Interop2
subnet 10.0.7.0 255.255.255.128
object network inside100-real-Interop2
subnet 10.0.0.0 255.255.255.128
nat (inside100,Interop2) static inside100-mapped-Interop2
object network inside110-mapped-Interop2
subnet 10.50.7.0 255.255.255.128
object network inside110-real-Interop2
subnet 10.50.0.0 255.255.255.128
nat (inside110,Interop2) static inside110-mapped-Interop2
object network inside200-mapped-Interop2
subnet 10.10.7.0 255.255.255.128
object network inside200-real-Interop2
subnet 10.10.0.0 255.255.255.128
nat (inside200,Interop2) static inside200-mapped-Interop2
object network inside210-mapped-Interop2
subnet 10.60.7.0 255.255.255.128
object network inside210-real-Interop2
subnet 10.60.0.0 255.255.255.128
nat (inside210,Interop2) static inside210-mapped-Interop2
object network inside700-mapped-Interop2
subnet 10.80.7.0 255.255.255.192
object network inside700-real-Interop2
subnet 10.80.0.0 255.255.255.192
nat (inside700,Interop2) static inside700-mapped-Interop2
object network inside960-mapped-Interop2
subnet 192.168.7.0 255.255.255.0
object network inside960-real-Interop2
subnet 192.168.109.0 255.255.255.0
nat (inside960,Interop2) static inside960-mapped-Interop2
!------------------------------------------------------------------------------
! Description - Nating for Handoff
!
object network inside100-mapped-Handoff
subnet 10.0.7.0 255.255.255.128
object network inside100-real-Handoff
subnet 10.0.0.0 255.255.255.128
nat (inside100,Handoff) static inside100-mapped-Handoff
object network inside110-mapped-Handoff
subnet 10.50.7.0 255.255.255.128
object network inside110-real-Handoff
subnet 10.50.0.0 255.255.255.128
nat (inside110,Handoff) static inside110-mapped-Handoff
object network inside200-mapped-Handoff
subnet 10.10.7.0 255.255.255.128
object network inside200-real-Handoff
subnet 10.10.0.0 255.255.255.128
nat (inside200,Handoff) static inside200-mapped-Handoff
object network inside210-mapped-Handoff
subnet 10.60.7.0 255.255.255.128
object network inside210-real-Handoff
subnet 10.60.0.0 255.255.255.128
nat (inside210,Handoff) static inside210-mapped-Handoff
object network inside700-mapped-Handoff
subnet 10.80.7.0 255.255.255.192
object network inside700-real-Handoff
subnet 10.80.0.0 255.255.255.192
nat (inside700,Handoff) static inside700-mapped-Handoff
object network inside960-mapped-Handoff
subnet 192.168.7.0 255.255.255.0
object network inside960-real-Handoff
subnet 192.168.109.0 255.255.255.0
nat (inside960,Handoff) static inside960-mapped-Handoff
!
access-list TN1XXXX standard permit host 234.0.117.1
access-list TN1XXXX standard permit host 234.0.117.3
access-list TN1XXXX standard permit host 234.0.118.1
access-list TN1XXXX standard permit host 234.0.118.3
access-list TN1XXXX standard permit host 234.0.119.1
access-list TN1XXXX standard permit host 234.0.119.3
access-list TN1XXXX standard deny any4
access-list Interop1-In extended permit ip any any
access-list Interop2-In extended permit ip any any
access-list Handoff2inside extended permit ip any any
pager lines 46
logging enable
logging timestamp
logging buffer-size 16384
logging buffered warnings
logging trap notifications
logging host inside960 192.168.109.24 6/20514
mtu inside100 1500
mtu inside110 1500
mtu inside200 1500
mtu inside210 1500
mtu inside700 1500
mtu inside960 1500
mtu inside963 1500
mtu Interop1 1500
mtu Interop2 1500
mtu Handoff 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-openjre-7131-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
access-group Interop1-In in interface Interop1
access-group Interop2-In in interface Interop2
access-group Handoff2inside in interface Handoff
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 10
ssh version 2
ssh cipher encryption fips
ssh key-exchange group dh-group14-sha1
console timeout 10
vpn load-balancing
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.109.24
username SYSTEM911 password $sha512###
username SYSTEMadmin password $sha512###
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rtsp
inspect rsh
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect sip
inspect xdmcp
inspect icmp
!
prompt hostname context
no call-home reporting anonymous
No comments:
Post a Comment