Cisco ASA 5505SecPlus as internetgateway for multiple vlan's

[evob]

Hi,

I'm trying to use my Cisco ASA 5505 as internetgateway for my internal VLAN1 192.168.200.x and VLAN3 192.168.0.x

I'm trying to route the vlan's to the internet with the following static route
route outside 0.0.0.0 0.0.0.0 195.190.249.17 1

It only works for my 192.168.200.x network, the other 192.168.0.x network does not reach the internet.
VLAN1(192.168.200.x) & VLAN3(192.168.0.x) can reach each other which is good.

--
overview:

ADSLrouter
|
VLAN2 194.109.123.132 (outside)
CiscoASA 5505 ASA Version 7.2(3) -SecPlusBundel |
VLAN1 192.168.200.x (inside)
VLAN3 192.168.0.x (inside2)


On the ASA i have the following VLAN's

interface Vlan1
nameif inside
security-level 100
ip address 192.168.200.254 255.255.255.0

interface Vlan2
nameif outside
security-level 0
ip address 194.109.123.132 255.255.255.0

interface Vlan3
nameif inside2
security-level 100
ip address 192.168.0.254 255.255.255.0


How can i get 192.168.0.x on the internet, anyone?

Thanks,

evo

 

[garnetbobcat]

Please post your whole configuration. It sounds like NAT might be the culprit, but you did not include that part of the config.

Matt

http://www.wr-mem.com

 

[evob]

Hi Matt,

thanks for the reply!
I think you're right about NAT.

I hope you can help me out with how setting up NAT correctly.

thanks,

evo

--
Here's the config (with fake ip's)

ASA Version 7.2(3)
!
hostname cASA
domain-name my.domain
enable password ViyVUYVOvf67FI encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.200.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 194.109.123.132 255.255.255.0
!
interface Vlan3
nameif inside2
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd VUsDgIfi78KYUukm encrypted
no ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name my.domain
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq https
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.140.150.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.200.200.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 10.140.150.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inside2 1500
ip local pool clientpool1 10.200.200.1-10.200.200.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.200.4 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 195.190.238.14 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 194.12.34.56
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.200.101-192.168.200.199 inside
dhcpd dns 192.168.200.21 interface inside
dhcpd domain my.domain interface inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy asa_global_fw_policy global
group-policy vpn internal
group-policy vpn attributes
dns-server value 192.168.200.21
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
default-domain value my.domain
username usert password FGdHGHkjhfh encrypted privilege 0
username usert attributes
vpn-group-policy vpn
username manage password gfHEhffsf encrypted privilege 15
tunnel-group 194.12.34.56 type ipsec-l2l
tunnel-group 194.12.34.56 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool clientpool1
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
prompt hostname context

 

[garnetbobcat]

nat statements are interface specific, and it appears that you only have a nat statement configured for your "inside" network. You don't have one for your "inside2" network.

You have:

nat (inside) 1 0.0.0.0 0.0.0.0

Keep that and try adding:

nat (inside2) 1 0.0.0.0 0.0.0.0

Also, just a security note: allowing all 0's in your nat statement works, but unless you have a specific reason to do it, a best practice is to specify the networks that you need. For example:

nat (inside) 1 192.168.200.0 255.255.255.0
nat (inside2) 1 192.168.0.0 255.255.255.0

Matt

http://www.wr-mem.com

 

[evob]

Matt,

That's the missing piece! just what i need.
I can't past this in the config right now because i'm at home

I will try this tomorrow, but this seems to be the solution.
thank you very much for helping me out

evo

 

[evob]

Hi,

adding the NAT statement works!

the other vlan can reach the internet now.

But the very strange thing is, there is no communication possible anymore between the vlan's (192.168.200.x and 192.168.200.x)

Changes i made in the config:

-add the NAT statement
-disabled DHCP

removing the NAT statement solves nothing and i don't see enabling dhcp solves this.

evo

 

[evob]

i mean ...between the vlan's (192.168.200.x and 192.168.0.x)

 

[garnetbobcat]

Hmm. And you're sure that traffic flowed between the interfaces before? ;-)

Here are some ideas:

1. Turn on logging and look for clues in your log. Look for translation errors or deny messages.

2. Try removing the line:

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.255.0

You don't have nat-control turned on, so you should not need to perform NAT on connections between interfaces.

3. Double check that nat-control is actually off.

ASA# show run nat-c
no nat-control

-----

Both "inside" and "inside2" have the same security level. You have "same-security-traffic permit inter-interface" configured, so traffic should be flowing between them, but there could be some sort of unexpected behavior going on.

You could change "inside2" to a security level of 99 and then add an access list to permit traffic from "inside2" to "inside". This is a larger change, but it will take the whole same-security bit out of the equation.

-----

If all else fails, post your config again. Perhaps something else has changed?



Matt

http://www.wr-mem.com

 

[evob]

Hi,

Yes the traffic has flowed between the two networks.
But maybe i did change more then i said in my previous post, till after midnight i was busy to solve it.
Maybe my mind aint that clear/bright anymore


1. i turned on logging, and did get an error:

portmap translation creation failed for icmp src inside:192.168.200.1 dst inside2:192.168.0.150 (type 8, code 0)

Explanation of ip's:
192.168.200.1 is a client on inside
192.168.0.150 is a client on inside2

i googled this but i don't see/understand how the apply solution to my problem.



2. I removed the access-list, no result.


3. NAT control was not turned on.


About the "same-security-traffic permit inter-interface"
After i turned this on 2 days ago the traffic started flowing between the networks.


I will take my "ASA test setup lan" back home right now and try the other securitylevel with the permit accesslist.


Thanks once again!.


evo

--


my recent config:

ASA Version 7.2(3)
!
hostname cASA
domain-name my.domain
enable password ZagD7sdafeRQ/vXmm encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.200.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 194.109.123.132 255.255.255.0
!
interface Vlan3
 nameif inside2
 security-level 100
 ip address 192.168.0.254 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ZOjdjjddjdjtvXmm encrypted
no ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name my.domain
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq https
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.140.150.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.200.200.0 255.255.255.224
access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 10.140.150.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inside2 1500
ip local pool clientpool1 10.200.200.1-10.200.200.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.200.4 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 195.190.238.14 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 194.12.34.56
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 28800
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy asa_global_fw_policy global
group-policy vpn internal
group-policy vpn attributes
 dns-server value 192.168.200.21
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_splitTunnelAcl
 default-domain value my.domain
username usert password aIX/fgfnfcgRxA encrypted privilege 0
username usert attributes
 vpn-group-policy vpn
username admin password uSNOfv0vdkzraXIQ encrypted privilege 15
tunnel-group 194.12.34.56 type ipsec-l2l
tunnel-group 194.12.34.56 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
 address-pool clientpool1
 default-group-policy vpn
tunnel-group vpn ipsec-attributes
 pre-shared-key *
prompt hostname context

 

[garnetbobcat]

I think I have it figured out. Messing with security levels and an ACL will not help. Sorry for that lousy suggestion.

I just labbed your configuration up and it appears that NAT is applied on a per-interface basis on the ASA, not a per-flow basis. This means that if you apply any NAT configuration to an interface, NAT is required for all traffic, even if you have "no nat-control" configured.

This explains why you are seeing a translation error. There is no translation for traffic from "inside" to "inside2" or vice versa.

It worked before I told you to add the second nat statement because of your nat0 acl. That ACL was translating traffic from "inside" to "inside2" and doing the reverse, since there was no nat configuration on "inside2". Once you added a nat configuration to "inside2" that nat0 ACL wasn't doing it for you any more.

My suggested solution is to do this:

1. Don't replace the nat0 ACL.

2. Don't change your security levels or anything.

3. Add in the second NAT statement I recommended earlier.

4. Use statics to get traffic between the interfaces with identity nat:

static (inside,inside2) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
static (inside2,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Bottom line: Even with nat-control disabled, once you added the nat statements for PAT to the inside interfaces you required NAT for all traffic on those interfaces. Statics are the right solution to perform identity NAT across the security appliance.

Kudos to my partner in crime, Joe, for the tip.

Matt

http://www.wr-mem.com

 

[evob]

Wow Matt (and Joe)!

You're right again

I want to thank you for taking the time, solving my problem and explaining what i'm doing wrong.

It's all working.
Tommorow i will get rid of my old draytek and replace it with the ASA.


I hope this topic is also helpful for other ASA owners.


By the way, i like your site (bookmarked).

THANKS!

evo