Interinterface traffic not allowed with same security levels

[cchrisinger]

We have 8 subinterfaces (VLANS) configured on a ASA 5550. We are essentially using the ASA to route between the VLANS. Our admin vlan traffic is being blocked going to other interfaces by the implicit Deny ACL. Other vlans with the same security levels are able to talk between each other. We would like to change the security levels on each vlan to an appropriate level based on vlan function. However, I'd like the ASA to behave the way it's supposed to before I move forward with our finale configuration. Our institution owns a Class B IP range so we are not doing any NAT. Config below...

ASA Version 8.0(3)19
!
hostname uwcxdcasa
domain-name uwex.uwc.edu
!
interface GigabitEthernet0/0
description Outside
speed 1000
duplex full
nameif outside
security-level 0
ip address 143.x.x.254 255.255.255.0
!
interface GigabitEthernet0/1
description Inside
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.1428
description admin_inside on vlan 1428
vlan 1428
nameif admin_inside
security-level 100
ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1429
description backup_inside on vlan 1429
vlan 1429
nameif backup_inside
security-level 100
ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1430
description dev_inside on vlan 1430
vlan 1430
nameif dev_inside
security-level 75
ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1431
description test_inside on vlan 1431
vlan 1431
nameif test_inside
security-level 100
ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1432
description prodweb_inside on vlan 1432
vlan 1432
nameif prodweb_inside
security-level 100
ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1433
description proddb_inside on vlan 1433
vlan 1433
nameif proddb_inside
security-level 100
ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1434
description proddata_inside on vlan 1434
vlan 1434
nameif proddata_inside
security-level 100
ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/1.1435
description dmzservices_inside on vlan 1435
vlan 1435
nameif dmzservices_inside
security-level 50
ip address 143.x.x.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa803-19-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name uwex.uwc.edu
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network TechOps
description Technical Operations Information Technology Group
network-object host cchrisinger
network-object host pgillett_1
network-object host ddingman_1
network-object host ddingman_2
network-object host ddingman_4
network-object host ddingman_3
network-object host pwilliams_1
network-object host pwilliams_2
network-object host phart_1
network-object host blabuda_3
network-object host phart_2
network-object host pgillett_2
network-object host jmagill_1
network-object host blabuda_2
network-object host blabuda_1
network-object host adm-hartp
object-group service default_inside_access_out
description VLAN default inside to outside access for servers
service-object tcp eq www
service-object tcp eq https
service-object tcp-udp eq domain
service-object tcp eq ssh
service-object tcp eq ftp
service-object tcp eq ftp-data
object-group network DM_INLINE_NETWORK_1
network-object 143.x.x.0 255.255.255.0
network-object 143.x.x.0 255.255.255.0
network-object 143.x.x.0 255.255.255.0
network-object 143.x.x.0 255.255.255.0
network-object 143.x.x.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object UWMADCAMP2 255.255.0.0
network-object UWMADCAMP1 255.255.0.0
object-group service BuckyBackup
description ASDM Bucky Backup Ports
service-object tcp-udp range 1499 1503
object-group network DM_INLINE_NETWORK_4
network-object 143.x.x.0 255.255.255.0
network-object 143.x.x.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_TCP_2 tcp
port-object eq ldap
port-object eq ldaps
object-group network DM_INLINE_NETWORK_3
network-object 10.0.0.0 255.240.0.0
network-object UWMADCAMP2 255.255.0.0
network-object 143.x.x.0 255.255.0.0
network-object UWMADCAMP1 255.255.0.0
object-group network DM_INLINE_NETWORK_6
network-object UWMADCAMP2 255.255.0.0
network-object UWC_Central 255.255.240.0
network-object UWMADCAMP1 255.255.0.0
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
group-object BuckyBackup
group-object default_inside_access_out
object-group network bb.uwex.uwc.edu
description big brother
network-object host bb.uwex.edu
network-object host bb.uwc.edu
object-group network DM_INLINE_NETWORK_5
network-object 10.0.0.0 255.240.0.0
network-object UWEX_Subnet 255.255.252.0
network-object uwcx_lakeasa 255.255.255.128
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
object-group service google-admin tcp
description google appliance administration ports
port-object eq 8000
port-object eq 8443
access-list admin_inside_access_in extended permit icmp any any
access-list admin_inside_access_in remark Allow IP out to other server rooms
access-list admin_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list admin_inside_access_in remark Allow IP out to manage google
access-list admin_inside_access_in extended permit tcp 143.x.x.0 255.255.255.0 host google.uwex.uwc.edu object-group google-admin
access-list admin_inside_access_in remark Allow IP out to other server rooms
access-list admin_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group DM_INLINE_NETWORK_5
access-list admin_inside_access_in remark Allow default Internet Access
access-list admin_inside_access_in extended permit object-group default_inside_access_out any any
access-list admin_inside_access_in remark Allow Bucky Backup Access outbound
access-list admin_inside_access_in extended permit object-group BuckyBackup any any
access-list outside_access_in remark Allow ICMP packets to all vlans
access-list outside_access_in extended permit icmp object-group DM_INLINE_NETWORK_3 any
access-list outside_access_in remark Allow Big Brother monitoring
access-list outside_access_in extended permit ip object-group bb.uwex.uwc.edu any
access-list outside_access_in remark Enable Bucky Backup to DataCenter servers
access-list outside_access_in extended permit object-group BuckyBackup object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_4
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host dns1.uwex.uwc.edu eq domain
access-list outside_access_in remark Allow http, https, and ssh to citpweb01
access-list outside_access_in extended permit tcp any host citpweb01 object-group DM_INLINE_TCP_1
access-list outside_access_in remark Allow http and https to citpapps01-ezproxy
access-list outside_access_in extended permit tcp any host citpapps01-ezproxy object-group DM_INLINE_TCP_5
access-list outside_access_in remark Allow http and https to google-mini
access-list outside_access_in extended permit tcp any host google.uwex.uwc.edu object-group DM_INLINE_TCP_6
access-list outside_access_in remark Allow TechOps remote desktop access
access-list outside_access_in extended permit tcp UWC_Central 255.255.240.0 host citpapp02.uwc.edu eq 3389
access-list outside_access_in remark Allow http and https access to servicecenter
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host citpapp02.uwc.edu object-group DM_INLINE_TCP_3
access-list outside_access_in remark Allow Test access for ONL to test Website
access-list outside_access_in extended permit tcp ONL-Subnet 255.255.255.0 host citweb01-test eq www
access-list test_inside_access_in remark Allow IP out to other server rooms
access-list test_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list test_inside_access_in remark Allow default Internet Access
access-list test_inside_access_in extended permit object-group default_inside_access_out any any
access-list test_inside_access_in remark Allow Bucky Backup Access outbound
access-list test_inside_access_in extended permit object-group BuckyBackup any any
access-list test_inside_access_in extended permit icmp any any
access-list proddata_inside_access_in remark Allow IP out to other server rooms
access-list proddata_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list proddata_inside_access_in extended permit icmp any any
access-list dev_inside_access_in remark Allow IP out to other server rooms
access-list dev_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list dev_inside_access_in extended permit object-group DM_INLINE_SERVICE_1 143.235.4.0 255.255.255.0 any
access-list dev_inside_access_in extended permit icmp any any
access-list proddb_inisde_access_in remark Allow IP out to other server rooms
access-list proddb_inisde_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list proddb_inisde_access_in extended permit ip any any
access-list proddb_inisde_access_in extended permit icmp any any
access-list backup_inside_access_in remark Allow IP out to other server rooms
access-list backup_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list backup_inside_access_in extended permit icmp any any
access-list dmzservices_inside_access_in remark Allow IP out to other server rooms
access-list dmzservices_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list dmzservices_inside_access_in extended permit icmp any any
access-list prodweb_inside_access_in extended permit icmp any any
access-list prodweb_inside_access_in remark Allow IP out to other server rooms
access-list prodweb_inside_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list prodweb_inside_access_in remark Allow default Internet Access
access-list prodweb_inside_access_in extended permit object-group default_inside_access_out any any
access-list prodweb_inside_access_in remark Allow Bucky Backup Access outbound
access-list prodweb_inside_access_in extended permit object-group BuckyBackup any any
access-list prodweb_inside_access_in remark connection to mysql.uwex.edu
access-list prodweb_inside_access_in extended permit tcp host citpweb01 host mysql.uwex.edu eq 3306
access-list prodweb_inside_access_in remark LDAPS and LDAP Connection to UWCDC1
access-list prodweb_inside_access_in extended permit tcp host citpweb01 host uwcdc1.uwc.edu object-group DM_INLINE_TCP_2
access-list admin_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list admin_inside_nat0_outbound remark Allow TechOps Access to Data Center Administration VLAN
access-list admin_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 object-group TechOps
access-list admin_inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 uwcx_lakeasa 255.255.255.128
access-list dev_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list dev_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list test_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list test_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list proddb_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list proddb_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list proddata_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list proddata_inside_nat0_outbound extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list outside_1_cryptomap extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list outside_1_cryptomap extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list outside_1_cryptomap extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list outside_1_cryptomap extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list outside_1_cryptomap extended permit ip 143.x.x.0 255.255.255.0 UWEX_LakePix 255.255.255.224
access-list outside_2_cryptomap extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list outside_2_cryptomap extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list outside_2_cryptomap extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list outside_2_cryptomap extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list outside_2_cryptomap extended permit ip 143.x.x.0 255.255.255.0 10.0.0.0 255.240.0.0
access-list outside_4_cryptomap extended permit ip 143.x.x.0 255.255.255.0 uwcx_lakeasa 255.255.255.128
access-list outside_4_cryptomap extended permit ip 143.x.x.0 255.255.255.0 uwcx_lakeasa 255.255.255.128
access-list outside_4_cryptomap extended permit ip 143.x.x.0 255.255.255.0 uwcx_lakeasa 255.255.255.128
access-list outside_4_cryptomap extended permit ip 143.x.x.0 255.255.255.0 uwcx_lakeasa 255.255.255.128
access-list outside_4_cryptomap extended permit ip 143.x.x.0 255.255.255.0 uwcx_lakeasa 255.255.255.128
pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging host admin_inside 128.x.x.250
mtu outside 1500
mtu admin_inside 1500
mtu backup_inside 1500
mtu dev_inside 1500
mtu test_inside 1500
mtu prodweb_inside 1500
mtu proddb_inside 1500
mtu proddata_inside 1500
mtu dmzservices_inside 1500
ip local pool vpnpool 172.17.1.100-172.17.1.199 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface admin_inside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any admin_inside
icmp permit any backup_inside
asdm image disk0:/asdm-60360.bin
no asdm history enable
arp timeout 14400
nat (admin_inside) 0 access-list admin_inside_nat0_outbound
nat (dev_inside) 0 access-list dev_inside_nat0_outbound
nat (test_inside) 0 access-list test_inside_nat0_outbound
nat (proddb_inside) 0 access-list proddb_inside_nat0_outbound
nat (proddata_inside) 0 access-list proddata_inside_nat0_outbound
static (backup_inside,outside) 143.x.x.0 143.x.x.0 netmask 255.255.255.0
static (proddb_inside,outside) 143.x.x.0 143.x.x.0 netmask 255.255.255.0
static (dmzservices_inside,outside) 143.x.x.0 143.x.x.0 netmask 255.255.255.0
static (admin_inside,outside) eva.uwex.uwc.edu eva.uwex.uwc.edu netmask 255.255.255.255
static (admin_inside,outside) sim.uwex.uwc.edu sim.uwex.uwc.edu netmask 255.255.255.255
static (admin_inside,outside) citpdc01.uwc.edu citpdc01.uwc.edu netmask 255.255.255.255
static (admin_inside,outside) APC_ISX APC_ISX netmask 255.255.255.255
static (admin_inside,outside) Cory_Temp Cory_Temp netmask 255.255.255.255
static (prodweb_inside,outside) citpweb01 citpweb01 netmask 255.255.255.255
static (admin_inside,outside) Cisco_3020-b Cisco_3020-b netmask 255.255.255.255
static (prodweb_inside,outside) citpapp02.uwc.edu citpapp02.uwc.edu netmask 255.255.255.255
static (admin_inside,outside) dns.uwex.uwc.edu dns.uwex.uwc.edu netmask 255.255.255.255
static (proddata_inside,outside) citpapps01-ezproxy citpapps01-ezproxy netmask 255.255.255.255
static (proddata_inside,outside) citpsps01.uwc.edu citpsps01.uwc.edu netmask 255.255.255.255
static (test_inside,outside) citdf801.uwc.edu citdf801.uwc.edu netmask 255.255.255.255
static (test_inside,outside) citpsps02.uwc.edu citpsps02.uwc.edu netmask 255.255.255.255
static (dev_inside,outside) citdvems01.uwc.edu citdvems01.uwc.edu netmask 255.255.255.255
static (test_inside,outside) citweb01-test citweb01-test netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group admin_inside_access_in in interface admin_inside
access-group backup_inside_access_in in interface backup_inside
access-group dev_inside_access_in in interface dev_inside
access-group test_inside_access_in in interface test_inside
access-group prodweb_inside_access_in in interface prodweb_inside
access-group proddb_inisde_access_in in interface proddb_inside
access-group proddata_inside_access_in in interface proddata_inside
access-group dmzservices_inside_access_in in interface dmzservices_inside
route outside 0.0.0.0 0.0.0.0 143.x.x.1 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 143.x.x.51 255.255.255.255 outside
http 143.x.x.91 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 admin_inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 128.x.x.5
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 143.x.x.1
crypto map outside_map 2 set transform-set ESP-DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 128.x.x.6
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 4 set security-association lifetime seconds 28800
crypto map outside_map 4 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 143.x.x.91 255.255.255.255 outside
ssh 143.x.x.51 255.255.255.255 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access admin_inside
!
threat-detection basic-threat
threat-detection statistics
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
group-policy uwcxremotevpn internal
group-policy uwcxremotevpn attributes
dns-server value 128.x.x.254
vpn-tunnel-protocol IPSec
default-domain value uwex.uwc.edu
username uwcx-monitor password Vg8fWBXiKbD408bU encrypted privilege 13
username uwcx-security password CGpcr.GLhmjrEHy5 encrypted privilege 15
tunnel-group 128.x.x.5 type ipsec-l2l
tunnel-group 128.x.x.5 ipsec-attributes
pre-shared-key *
tunnel-group 128.x.x.6 type ipsec-l2l
tunnel-group 128.x.x.6 ipsec-attributes
pre-shared-key *
tunnel-group 143.x.x.1 type ipsec-l2l
tunnel-group 143.x.x.1 ipsec-attributes
pre-shared-key *
tunnel-group uwcxremotevpn type remote-access
tunnel-group uwcxremotevpn general-attributes
address-pool vpnpool
default-group-policy uwcxremotevpn
tunnel-group uwcxremotevpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4b00cd7bb367732a75e84938a931de7e
: end
asdm image disk0:/asdm-60360.bin

no asdm history enable

 

[unclerico]

The only permits I see are between the individual subnets and the object-group bb.uwex.uwc.edu. Are you not able to ping between the VLAN's either?? Sorry, there's a lot going on in that config

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Supergrrover]

Can you give a specific instance of a traffic flow that is being blocked? Need to see if it's blocked by an ACL anywhere that was not anticipated.

I see you are doing syslog to a server - define the flow and see where it balks from the log.

Later on you will want to change this
logging trap informational
to a lower level - You look like you have a lot of traffic and that's a serious performance hit.

Also - because of your class B and masking the middle 2 octets (usually very sound advice) it makes it hard to see how you have subnetted. Masking the first 2 would have been easier to see what's going on. For next time post with a letter substitute so you don't give away your network but people can conceptually get an idea of what goes where- eg

interface GigabitEthernet0/1.1428
description admin_inside on vlan 1428
vlan 1428
nameif admin_inside
security-level 100
ip address 143.x.A.1 255.255.255.0
!
interface GigabitEthernet0/1.1429
description backup_inside on vlan 1429
vlan 1429
nameif backup_inside
security-level 100
ip address 143.x.B.1 255.255.255.0
!
interface GigabitEthernet0/1.1430
description dev_inside on vlan 1430
vlan 1430
nameif dev_inside
security-level 75
ip address 143.x.C.1 255.255.255.0
!
etc.

Last bit of unwanted advice (i promise) later you will want to move some vlans to a different port. The single gig speed will become the bottleneck on your network doing all the intervlan routing. Let some of the other unused interfaces do some work and you will have a much smoother network.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[cchrisinger]

I'll give a for instance. If I am on a server on VLAN 1428, and try to RDP to another server on VLAN 1433 the traffic is blocked. If I am on a server on VLAN 1433 and try to RDP to a server on 1431, the connection works just fine. All three of these VLANS are Security Level 100 and I have the same-security-traffic permit inter-interface command turned on. The same is true if I'm on VLAN 1433 and I try and RDP to a server on VLAN 1428, the connection works. The issue is specific to outbound traffic from VLAN 1428. There is an ACL that allows some default outbound traffic from 1428, such as http, https, ssh, and couple others. The traffic define by that ACL works fine, however everything else is being denied by the Implicit Deny on that specific subinterface.

 

[Supergrrover]

If you allow all traffic from the admin vlan (permit ip any any as the last statement in that interface acl) does your rdp now work?

This ACL allows everything from vlan 1433 -
access-list proddb_inisde_access_in remark Allow IP out to other server rooms
access-list proddb_inisde_access_in extended permit ip 143.x.x.0 255.255.255.0 object-group bb.uwex.uwc.edu
access-list proddb_inisde_access_in extended permit ip any any
access-list proddb_inisde_access_in extended permit icmp any any

Your vlan 1428 acl does not have that statement in it. What are the hit counts your ace's and where are they incrementing?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[unclerico]

Perhaps I'm being too simple minded here, but you just need to make changes to your admin_inside_access_in ACL. In your example you gave, add an ACE for permit tcp 3389

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[cchrisinger]

Your are right. I guess I might not be understanding how the same-security-traffic permit inter-interface command works. My understanding is that as long as I have the same-security-traffic permit inter-interface command active traffic should be allowed between interfaces at the same security levels. Traffic from VLAN 1428 does not comply with that rule, nor does it allow traffic to freely flow to an interface with a lower sec level such as 1430. Hey if all I need to do is write Ace's I'm happy to do that, I just want to make sure that traffic is moving the way it should be and the way that I expect it will. Thanks for all the suggestions guys.

Are there many people running their ASA's this way? We have to do this because of our LAN is handled. I understand that having a Layer 3 device handling this is probably a better way to go, but unfortunately that can't be done here.

 

[unclerico]

The same-security-traffic permit inter-interface will pass traffic for interfaces with the same security levels. However, ACL's will inhibit this communication.

Sure, there are people taht run like this. A better and more scalable solution would be to use each physical interface on the ASA or incorporate a L3 switch into the mix. There's no real right or wrong way. You need to make adjustments according to your traffic patters and link usage.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[cchrisinger]

Ok, so what takes presidence the implicit Deny on each interface or the same-security-traffic permit inter-interface command. The same-security-traffic permit inter-interface command is technically applied first in the config.

 

[unclerico]

ACL's are pretty much the first thing checked so your deny would take precedence

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Supergrrover]

For same-security in the absence of interface ACLs all traffic is allowed. As soon as you apply an ACL you have to explicitly allow everything you want or it will get caught in the implicit "deny ip any any."

It's good form to put the "deny ip any any" at the end of your ACLs for clarity and so that you can watch the counters.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[cchrisinger]

Wanted to thank everyone for their help. We were able to get things straightened out on our ASA 5550. I have another 5550 we are going to be using as the passive failover. I plan to redistribute the VLAN's across more interfaces in the near future, thanks for the tip.