Good morning. I'm not new to Cisco, but am new to working with ASA devices. The 5505 we purchased is not responding to my configurations the way I expect. I've read that I may not be able to do what I would like to do, but according to Cisco's documents, I should.
I have two networks... inside and wireless... They are on separate VLANs and the security level is set to 100 on both (which, according to Cisco, should allow traffic between same-security levels). When I attempt to pass traffic between both networks, it fails. The logs read that it could not find a NAT rule to pass the traffic. What am I missing here? Can I have VLANs for different parts of my network, plugged into different ASA 5505 interfaces and have them communicate in such a way? Attached is my config file. Thanks.
----------------
Result of the command: "show run"
: Saved
:
ASA Version 8.0(2)
!
hostname ASA5505
domain-name vpn.domainname.com
enable password ******************* encrypted
names
name 192.168.238.136 datapoint
name 192.168.238.137 Comms_Brian
name 192.168.238.88 brians_laptop
name 192.168.238.222 Andy
name 192.168.238.221 Centralwing
name 192.168.238.55 Dan_test
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.238.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 208.101.186.226 255.255.255.252
!
interface Vlan5
nameif dmz
security-level 50
ip address 10.1.1.1 255.255.255.0
!
interface Vlan15
nameif wireless
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 15
interface Ethernet0/7
switchport access vlan 5
!
passwd ************** encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name vpn.domainname.com
dns server-group InternalDNS
name-server 192.168.238.244
domain-name adomain.local
same-security-traffic permit inter-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp echo-reply
service-object tcp-udp eq www
object-group network VPN-Address-Range
description This is a list of the VPN address which run from 192.168.50.1 to 192.168.50.25
network-object 192.168.50.0 255.255.255.224
object-group service Routed_To_Datapoint
service-object tcp-udp eq www
object-group service Brian_Test tcp-udp
port-object eq 7000
object-group service Centralwing10000 tcp-udp
port-object eq 10000
object-group service Dan_Test1000 tcp-udp
port-object eq 11000
object-group service Andy10001 tcp-udp
port-object eq 10001
object-group service Andy10002 tcp-udp
port-object eq 10002
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any inactive
access-list outside_access_in extended permit ip 192.168.238.0 255.255.255.0 192.168.238.0 255.255.255.0
access-list outside_access_in extended permit object-group TCPUDP any any eq 7000 inactive
access-list outside_access_in extended permit object-group TCPUDP any any object-group Centralwing10000
access-list outside_access_in extended permit icmp any 208.101.186.224 255.255.255.252 echo-reply
access-list outside_access_in extended permit object-group TCPUDP any any object-group Dan_Test1000
access-list outside_access_in extended permit object-group TCPUDP any any object-group Andy10001
access-list outside_access_in extended permit object-group TCPUDP any any object-group Andy10002
access-list inside_nat0_outbound extended permit ip 192.168.238.0 255.255.255.0 192.168.238.0 255.255.255.0
access-list Internal standard permit 192.168.238.0 255.255.255.0
pager lines 24
logging enable
logging trap informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN_Address_Pool 192.168.50.1-192.168.50.25 mask 255.255.255.0
ip local pool internal 192.168.238.20-192.168.238.30 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 10000 Centralwing 10000 netmask 255.255.255.255
static (inside,outside) tcp interface 11000 Dan_test 11000 netmask 255.255.255.255
static (inside,outside) tcp interface 10001 192.168.238.132 10001 netmask 255.255.255.255
static (inside,outside) tcp interface 10002 192.168.238.3 10002 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 208.101.186.226 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server server2 protocol nt
aaa-server domain2 host 192.168.238.244
timeout 5
nt-auth-domain-controller domain
http server enable
http 192.168.238.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn vpn.domainname.com
email email@domainname.com
subject-name CN=vpn.domainname.com
ip-address 12.151.22.226
keypair vpn.domainname.com
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
30820224 3082018d a0030201 02020131 300d0609 2a864886 f70d0101 04050030
58311930 17060355 04031310 646d7a2e 61766169 6c746563 2e636f6d 313b301a
06092a86 4886f70d 01090813 0d31322e 3135312e 32322e32 3236301d 06092a86
4886f70d 01090216 10646d7a 2e617661 696c7465 632e636f 6d301e17 0d303730
39313831 33343930 325a170d 31373039 31353133 34393032 5a305831 19301706
03550403 1310646d 7a2e6176 61696c74 65632e63 6f6d313b 301a0609 2a864886
f70d0109 08130d31 322e3135 312e3232 2e323236 301d0609 2a864886 f70d0109
02161064 6d7a2e61 7661696c 7465632e 636f6d30 819f300d 06092a86 4886f70d
01010105 0003818d 00308189 02818100 bffaf03f 678d52d1 cfffff1a f7bbf12e
a33d848c 5fb3fbd0 10c55f17 7e4c19b8 17466466 e36494e9 6297bef5 3b8afc09
e02b2593 99bde0e9 0f349cfd 8c69a601 2ba4d72a 8cfced1e 1d936a18 59926710
f7a4b5d2 53637339 d1d2cc58 c569dd60 7bf85bd8 5d6726b3 5c0eda60 f71c7c1f
3998d093 a3613f25 aac47e42 0de8d923 02030100 01300d06 092a8648 86f70d01
01040500 03818100 9201e374 bf4f3de7 710b392a c349d710 ca254795 115d80f8
7456bb43 26c17e58 67e858e4 d0dad4d3 8ee8e8e7 192d83d9 942085fd 99e1c798
f0b91df8 d993842f ae4db94e 6bbf6f42 46c4f58e e01127b7 b739c217 c9b23a7e
4c2caa30 92f4a28d f6ba23b3 6e6e6e06 24176474 8fdaf1a9 c51e8c76 103f7a8c
0407e9e9 623d7e9b
quit
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
ntp server 192.43.244.18 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
character-encoding windows-1252
file-encoding 192.168.238.244 big5
svc image disk0:/anyconnect-win-2.2.0136-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.2.0136-k9.pkg 4
svc image disk0:/anyconnect-macosx-powerpc-2.2.0136-k9.pkg 5
svc enable
tunnel-group-list enable
group-policy Temp_usage internal
group-policy Temp_usage attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc keep-installer none
group-policy DfltGrpPolicy attributes
wins-server value 192.168.238.244
dns-server value 192.168.238.244
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Internal
webvpn
svc ask none default webvpn
username mnaylor password ********* encrypted privilege 15
username ValleyTech password ************* encrypted
username ValleyTech attributes
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool internal
authentication-server-group server2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool internal
authentication-server-group server2 LOCAL
authentication-server-group (inside) server2 LOCAL
authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 192.168.238.244 master timeout 2 retry 2
group-alias Domain disable
group-alias Employee enable
group-alias Default disable
group-alias Employee disable
tunnel-group SSL_VPN type remote-access
tunnel-group SSL_VPN general-attributes
address-pool VPN_Address_Pool
authentication-server-group server2 LOCAL
tunnel-group SSL_VPN webvpn-attributes
nbns-server 192.168.238.244 master timeout 2 retry 2
tunnel-group Temp_machine type remote-access
tunnel-group Temp_machine general-attributes
address-pool internal
authentication-server-group server2
default-group-policy Temp_usage
tunnel-group Temp_machine webvpn-attributes
group-alias Temp_usage disable
group-alias Temporary_User enable
tunnel-group "Contractor Access" type remote-access
tunnel-group "Contractor Access" general-attributes
address-pool internal
tunnel-group "Contractor Access" webvpn-attributes
group-alias Contractor disable
group-alias Temp_Contractor disable
group-alias Temporary_Contractor enable
prompt hostname context
Cryptochecksum:07464156f8f1325618f5ea6ddc0e7d34
: end
I have two networks... inside and wireless... They are on separate VLANs and the security level is set to 100 on both (which, according to Cisco, should allow traffic between same-security levels). When I attempt to pass traffic between both networks, it fails. The logs read that it could not find a NAT rule to pass the traffic. What am I missing here? Can I have VLANs for different parts of my network, plugged into different ASA 5505 interfaces and have them communicate in such a way? Attached is my config file. Thanks.
----------------
Result of the command: "show run"
: Saved
:
ASA Version 8.0(2)
!
hostname ASA5505
domain-name vpn.domainname.com
enable password ******************* encrypted
names
name 192.168.238.136 datapoint
name 192.168.238.137 Comms_Brian
name 192.168.238.88 brians_laptop
name 192.168.238.222 Andy
name 192.168.238.221 Centralwing
name 192.168.238.55 Dan_test
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.238.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 208.101.186.226 255.255.255.252
!
interface Vlan5
nameif dmz
security-level 50
ip address 10.1.1.1 255.255.255.0
!
interface Vlan15
nameif wireless
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 15
interface Ethernet0/7
switchport access vlan 5
!
passwd ************** encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name vpn.domainname.com
dns server-group InternalDNS
name-server 192.168.238.244
domain-name adomain.local
same-security-traffic permit inter-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp echo-reply
service-object tcp-udp eq www
object-group network VPN-Address-Range
description This is a list of the VPN address which run from 192.168.50.1 to 192.168.50.25
network-object 192.168.50.0 255.255.255.224
object-group service Routed_To_Datapoint
service-object tcp-udp eq www
object-group service Brian_Test tcp-udp
port-object eq 7000
object-group service Centralwing10000 tcp-udp
port-object eq 10000
object-group service Dan_Test1000 tcp-udp
port-object eq 11000
object-group service Andy10001 tcp-udp
port-object eq 10001
object-group service Andy10002 tcp-udp
port-object eq 10002
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any inactive
access-list outside_access_in extended permit ip 192.168.238.0 255.255.255.0 192.168.238.0 255.255.255.0
access-list outside_access_in extended permit object-group TCPUDP any any eq 7000 inactive
access-list outside_access_in extended permit object-group TCPUDP any any object-group Centralwing10000
access-list outside_access_in extended permit icmp any 208.101.186.224 255.255.255.252 echo-reply
access-list outside_access_in extended permit object-group TCPUDP any any object-group Dan_Test1000
access-list outside_access_in extended permit object-group TCPUDP any any object-group Andy10001
access-list outside_access_in extended permit object-group TCPUDP any any object-group Andy10002
access-list inside_nat0_outbound extended permit ip 192.168.238.0 255.255.255.0 192.168.238.0 255.255.255.0
access-list Internal standard permit 192.168.238.0 255.255.255.0
pager lines 24
logging enable
logging trap informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN_Address_Pool 192.168.50.1-192.168.50.25 mask 255.255.255.0
ip local pool internal 192.168.238.20-192.168.238.30 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 10000 Centralwing 10000 netmask 255.255.255.255
static (inside,outside) tcp interface 11000 Dan_test 11000 netmask 255.255.255.255
static (inside,outside) tcp interface 10001 192.168.238.132 10001 netmask 255.255.255.255
static (inside,outside) tcp interface 10002 192.168.238.3 10002 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 208.101.186.226 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server server2 protocol nt
aaa-server domain2 host 192.168.238.244
timeout 5
nt-auth-domain-controller domain
http server enable
http 192.168.238.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn vpn.domainname.com
email email@domainname.com
subject-name CN=vpn.domainname.com
ip-address 12.151.22.226
keypair vpn.domainname.com
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
30820224 3082018d a0030201 02020131 300d0609 2a864886 f70d0101 04050030
58311930 17060355 04031310 646d7a2e 61766169 6c746563 2e636f6d 313b301a
06092a86 4886f70d 01090813 0d31322e 3135312e 32322e32 3236301d 06092a86
4886f70d 01090216 10646d7a 2e617661 696c7465 632e636f 6d301e17 0d303730
39313831 33343930 325a170d 31373039 31353133 34393032 5a305831 19301706
03550403 1310646d 7a2e6176 61696c74 65632e63 6f6d313b 301a0609 2a864886
f70d0109 08130d31 322e3135 312e3232 2e323236 301d0609 2a864886 f70d0109
02161064 6d7a2e61 7661696c 7465632e 636f6d30 819f300d 06092a86 4886f70d
01010105 0003818d 00308189 02818100 bffaf03f 678d52d1 cfffff1a f7bbf12e
a33d848c 5fb3fbd0 10c55f17 7e4c19b8 17466466 e36494e9 6297bef5 3b8afc09
e02b2593 99bde0e9 0f349cfd 8c69a601 2ba4d72a 8cfced1e 1d936a18 59926710
f7a4b5d2 53637339 d1d2cc58 c569dd60 7bf85bd8 5d6726b3 5c0eda60 f71c7c1f
3998d093 a3613f25 aac47e42 0de8d923 02030100 01300d06 092a8648 86f70d01
01040500 03818100 9201e374 bf4f3de7 710b392a c349d710 ca254795 115d80f8
7456bb43 26c17e58 67e858e4 d0dad4d3 8ee8e8e7 192d83d9 942085fd 99e1c798
f0b91df8 d993842f ae4db94e 6bbf6f42 46c4f58e e01127b7 b739c217 c9b23a7e
4c2caa30 92f4a28d f6ba23b3 6e6e6e06 24176474 8fdaf1a9 c51e8c76 103f7a8c
0407e9e9 623d7e9b
quit
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
ntp server 192.43.244.18 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
character-encoding windows-1252
file-encoding 192.168.238.244 big5
svc image disk0:/anyconnect-win-2.2.0136-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.2.0136-k9.pkg 4
svc image disk0:/anyconnect-macosx-powerpc-2.2.0136-k9.pkg 5
svc enable
tunnel-group-list enable
group-policy Temp_usage internal
group-policy Temp_usage attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc keep-installer none
group-policy DfltGrpPolicy attributes
wins-server value 192.168.238.244
dns-server value 192.168.238.244
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Internal
webvpn
svc ask none default webvpn
username mnaylor password ********* encrypted privilege 15
username ValleyTech password ************* encrypted
username ValleyTech attributes
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool internal
authentication-server-group server2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool internal
authentication-server-group server2 LOCAL
authentication-server-group (inside) server2 LOCAL
authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 192.168.238.244 master timeout 2 retry 2
group-alias Domain disable
group-alias Employee enable
group-alias Default disable
group-alias Employee disable
tunnel-group SSL_VPN type remote-access
tunnel-group SSL_VPN general-attributes
address-pool VPN_Address_Pool
authentication-server-group server2 LOCAL
tunnel-group SSL_VPN webvpn-attributes
nbns-server 192.168.238.244 master timeout 2 retry 2
tunnel-group Temp_machine type remote-access
tunnel-group Temp_machine general-attributes
address-pool internal
authentication-server-group server2
default-group-policy Temp_usage
tunnel-group Temp_machine webvpn-attributes
group-alias Temp_usage disable
group-alias Temporary_User enable
tunnel-group "Contractor Access" type remote-access
tunnel-group "Contractor Access" general-attributes
address-pool internal
tunnel-group "Contractor Access" webvpn-attributes
group-alias Contractor disable
group-alias Temp_Contractor disable
group-alias Temporary_Contractor enable
prompt hostname context
Cryptochecksum:07464156f8f1325618f5ea6ddc0e7d34
: end