Cisco → [Config] Crossing internal networks

OK, I thought I had this set, but the "Wizard" seems to have lied to me. I want data to be able to span from port-to-port on an ASA 5520. I have 4 ports, Internet=0, Wired/Internal=1, Wireless=2, and Servers=3. The only data going port to port is NAT to the Internet. How do I route traffice between the different ports - they each have a seperate class C internal subnet (except 0, which gets a real IP from an upstream DHCP server).

To complicate matters, some of the data I want to share is SMB/Windows file shares, and if I remember, this data doesn't like to span networks without a host sitting on both to manage the browse lists. So, I expect that getting this working will be tougher than getting SSH or something between ports to work, but I'm pretty confident that its been done before considering the popularity of Windows!

Any help/advice/assistance is welcome, and I'm using the ASDM interface for now, but if I need to delve into the command line and start learning it to make this work, then so be it. So far its just been faster to learn whats available through the GUI, but I usually prefer CLIs anyway being from a Unix/Linux background.

-- Evan

FYI, its telling me its unable to NAT, but this doesn't make sense because I have the "Allow traffic without NAT" checkbox on. This performs "no nat-control" on the command line. I can't add static routes. It should just be a simple gateway (except for the SMB shares). I'm really confused. It won't let me add additional rules to NAT from one interface to the other (which is just silly anyway).

Why won't it act as a gateway?

Your full config, minus passwords and other sensitive information, please.

So if I got this right
- ETH0 / dhcp from upstream
- ETH1 / a.a.2.a
- ETH2 / a.a.3.a
- ETH3 / a.a.4.a

Do you have security levels configured on the interfaces of the ASA? One "gotcha" in ASA-land is the security levels,
and the best way to remember how they work is "higher to lower, okay. Lower to higher, no way!"

My 00000010bits

Regards

Close, I used 11, 12, and 13 instead of 2, 3, and 4. And I put the security levels the same for wired and wireless because ADSM had a checkbox that said it would route packets between interfaces with the same security level and I wanted to get it working first before worrying about security.

Here's the config (with long lists of blocked Internet sites removed).
: Saved
:
ASA Version 8.0(4)
!
hostname mcp
domain-name langlois.local
enable password ********** encrypted
passwd *********** encrypted
names
name 192.168.12.4 Evan description full access
name 192.168.12.3 Kyle description Kyle's Laptop
name 192.168.12.5 printer description hp printer
name 192.168.11.2 Dad description Dad can access anything
name 192.168.12.6 Droid description Evan's Phone
name 64.210.140.16 porn.com
! full list of these has been edited for brevity
name 23.13.147.235 steam
name 74.125.224.192 youtube.com
dns-guard
!
interface GigabitEthernet0/0
nameif mcp-internet
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
description Dad's PC
nameif mcp-wired
security-level 80
ip address 192.168.11.1 255.255.255.0
!
interface GigabitEthernet0/2
description Monoprice router
nameif mcp-wireless
security-level 80
ip address 192.168.12.1 255.255.255.0
!
interface GigabitEthernet0/3
description Future Use
nameif mcp-files
security-level 60
ip address 192.168.13.1 255.255.255.0
!
interface Management0/0
description Private Management Port Only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup mcp-wired
dns domain-lookup mcp-wireless
dns domain-lookup mcp-internet
dns server-group DefaultDNS
name-server 192.168.0.1
name-server 66.82.4.8
name-server 66.82.4.12
domain-name langlois.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
service-object tcp eq www
service-object tcp eq https
service-object tcp eq irc
service-object tcp eq ssh
service-object udp eq domain
service-object udp eq ntp
object-group network DM_INLINE_NETWORK_1
network-object 192.168.11.0 255.255.255.0
network-object 192.168.12.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.11.0 255.255.255.0
network-object 192.168.12.0 255.255.255.0
object-group network Guests
description Minimal Access Group, all wireless
network-object 192.168.12.0 255.255.255.0
network-object host Evan
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service chat tcp-udp
description Google and Yahoo Chat
port-object eq 5050
port-object eq 5222
port-object eq 5228
object-group service hplip tcp
description HP Print Services
port-object eq 9100
object-group service smb udp
description Windows Networking Shares
port-object eq netbios-dgm
port-object eq netbios-ns
object-group network evangroup
description all of evan's toys
network-object host Evan
network-object host Droid
object-group network block-ekl
description Social Network SItes denied to Evan
network-object host facebook
network-object host pinterest
network-object host dhgate
network-object host tumblr
network-object host imgfave
! full list edited for brevity
object-group network porn
description porn
network-object host porn.com
! full list edited for brevity
object-group network hogs
description worst of the bandwidth hogs
network-object host steam
network-object youtube.com 255.255.255.240
object-group service mail tcp
description all the mail servers, including imaps/993
port-object eq 993
port-object eq imap4
port-object eq pop3
port-object eq smtp
object-group network local-machines
description All known local machines
network-object host Dad
network-object host Kyle
network-object host Evan
network-object host Droid
object-group network printers
description all local printers
network-object host printer
access-list mcp-wireless_access_in extended permit ip any any
access-list mcp-wired_access_in extended permit ip any any
access-list mcp-internet_access_in remark Will this work to block it for everyone?
access-list mcp-internet_access_in extended deny ip object-group porn any
access-list mcp-internet_access_in extended permit ip any any
access-list mcp-wireless_access_in_1 remark Block social sites to Kyle too until he gets a job
access-list mcp-wireless_access_in_1 extended deny ip host Kyle object-group block-ekl
access-list mcp-wireless_access_in_1 remark This should block bad sites
access-list mcp-wireless_access_in_1 extended deny ip object-group evangroup object-group block-ekl
access-list mcp-wireless_access_in_1 remark Default Services
access-list mcp-wireless_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 object-group Guests any
access-list mcp-wireless_access_in_1 remark Guests can use mail
access-list mcp-wireless_access_in_1 extended permit tcp object-group Guests any object-group mail
access-list mcp-wireless_access_in_1 remark Let guests chat on Google
access-list mcp-wireless_access_in_1 extended permit object-group TCPUDP object-group Guests any object-group chat
access-list mcp-wireless_access_in_1 remark Evan is GOD
access-list mcp-wireless_access_in_1 extended permit ip object-group evangroup any
access-list mcp-wireless_access_in_1 remark Need permission to go to the bandwidth hogs
access-list mcp-wireless_access_in_1 extended deny ip object-group Guests object-group hogs
access-list mcp-wireless_access_in_1 remark Kyle can access God's SMB
access-list mcp-wireless_access_in_1 extended permit udp host Kyle host Evan object-group smb
access-list mcp-wireless_access_in_1 remark Kyle can print
access-list mcp-wireless_access_in_1 extended permit tcp host Kyle object-group printers object-group hplip
access-list mcp-wireless_access_in_1 remark Let guests chat on Google
access-list mcp-files_access_in extended permit ip object-group DM_INLINE_NETWORK_1 192.168.13.0 255.255.255.0
access-list mcp-files_access_in extended permit ip 192.168.13.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging asdm warnings
logging host mcp-wireless Evan
logging debug-trace
logging permit-hostdown
no logging message 313005
mtu management 1500
mtu mcp-wired 1500
mtu mcp-wireless 1500
mtu mcp-files 1500
mtu mcp-internet 1500
ip verify reverse-path interface mcp-wired
ip verify reverse-path interface mcp-wireless
ip verify reverse-path interface mcp-files
ip verify reverse-path interface mcp-internet
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.11.0 255.255.255.0 echo mcp-wired
icmp permit any echo mcp-wireless
icmp permit any echo-reply mcp-internet
asdm image disk0:/asdm-611.bin
no asdm history enable
arp mcp-wireless Droid 40fc.898e.3be6
arp mcp-wired Dad d8d3.857f.15f2
arp mcp-wireless Kyle dc85.de3b.8dbd
arp mcp-wireless Evan 5435.307f.c011
arp mcp-wireless printer b499.ba10.f0b4
arp timeout 14400
global (mcp-wired) 1 interface
global (mcp-wireless) 1 interface
global (mcp-internet) 101 interface
nat (management) 101 0.0.0.0 0.0.0.0 dns
nat (mcp-wired) 101 192.168.11.0 255.255.255.0 dns
nat (mcp-wireless) 101 192.168.12.0 255.255.255.0 dns
access-group mcp-wired_access_in in interface mcp-wired
access-group mcp-wireless_access_in in interface mcp-wireless control-plane
access-group mcp-wireless_access_in_1 in interface mcp-wireless
access-group mcp-files_access_in in interface mcp-files
access-group mcp-internet_access_in in interface mcp-internet
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Evan 255.255.255.255 mcp-wireless
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh Evan 255.255.255.255 mcp-wireless
ssh timeout 5
ssh version 2
console timeout 10
management-access mcp-wireless
dhcp-client update dns server none
dhcpd address 192.168.1.2-192.168.1.19 management
dhcpd enable management
!
dhcpd address Dad-192.168.11.100 mcp-wired
dhcpd dns 192.168.0.1 66.82.4.8 interface mcp-wired
dhcpd lease 1048575 interface mcp-wired
dhcpd domain langlois.local interface mcp-wired
dhcpd auto_config mcp-internet interface mcp-wired
dhcpd update dns both override interface mcp-wired
dhcpd enable mcp-wired
!
dhcpd address 192.168.12.2-192.168.12.100 mcp-wireless
dhcpd dns 192.168.0.1 66.82.4.12 interface mcp-wireless
dhcpd lease 86400 interface mcp-wireless
dhcpd domain langlois.local interface mcp-wireless
dhcpd auto_config mcp-internet interface mcp-wireless
dhcpd update dns both override interface mcp-wireless
dhcpd enable mcp-wireless
!
vpn load-balancing
interface lbpublic management
interface lbprivate management
priority-queue mcp-wired
queue-limit 512
priority-queue mcp-wireless
queue-limit 1024
tx-ring-limit 128
priority-queue mcp-internet
queue-limit 1024
tx-ring-limit 128
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address Dad 255.255.255.255
threat-detection scanning-threat shun except ip-address Evan 255.255.255.255
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 204.9.54.119 source mcp-internet
ntp server 50.116.38.157 source mcp-internet prefer
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:****************************
: end

quote:

---

interface GigabitEthernet0/0
nameif mcp-internet
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
description Dad's PC
nameif mcp-wired
security-level 80
ip address 192.168.11.1 255.255.255.0
!
interface GigabitEthernet0/2
description Monoprice router
nameif mcp-wireless
security-level 80
ip address 192.168.12.1 255.255.255.0
!
interface GigabitEthernet0/3
description Future Use
nameif mcp-files
security-level 60
ip address 192.168.13.1 255.255.255.0

---

Okay, wanted to check that first, and yes, that's the config you need if you have two or more interfaces at the same security
level and want to move traffic between them... don't know why the ASA does that.

Next thing I'd look at is your ACLs....one question I have is where 'interface mcp-wireless control-plane' came from... never saw that config before.

Question, can a host from 192.168.11.x ping 192.168.12.1, and vice versa?

You may also want to try packet-tracer, syntax : packet-tracer input

Offhand, I don't see anything weird and whacky... maybe someone else will chime in.

Regards

I have no idea what "control-plane" is, the ASDM added it.

As for a ping, I get nothing if I ping another interface's IP (such as pinging 11.1 from 12.x) and if I ping an another host:
mcp %ASA-3-305006: portmap translation creation failed for icmp src mcp-wireless:Evan dst mcp-wired:Dad (type 8, code 0)

An SSH gives me the same info:
mcp %ASA-3-305006: portmap translation creation failed for tcp src mcp-wireless:Evan/57518 dst mcp-wired:Dad/22

So, its trying to NAT from one port to another instead of being a gateway, and its not set up to NAT those ports because it only has a pool of 1 IP to NAT with (the internet IP). So, it needs to be told not to NAT those ports when going port-to-port. I had thought that "same-security-traffic permit inter-interface" was the trick for that.

I'm glad I'm testing this at home. I'd look like an idiot if half the company couldn't talk through the firewall

ASA's NAT *everything*, so when you say it's not set up to NAT, it actually is by default.
To get traffic from one LAN to another you have to specifically deny NAT between those subnets. Just been through some similar pain myself with an ASA!
Here's an example of preventing NAT happening between vlan 20 and vlan 40...

static (vlan40,vlan20) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (vlan20,vlan40) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
 

Looks wrong but it's right. A lot of the ASA stuff is ass backwards,,,

here's that old thread where we learned it

Yeah... that was a definitely a Dubya Tee Eff moment...

Regards

Yes, giving it a static NAT rule to go from one network to the next using the IP of itself tells it not to translate. In command line syntax for my setup :

static (mcp-wired,mcp-wireless) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
static (mcp-wireless,mcp-wired) 192.168.12.0 192.168.12.0 netmask 255.255.255.0

I think the samba issues will be fixed by configuring myself as a WINS server which means taking myself out of DHCP - it won't let me configure a specific MAC to always get the same IP and won't let me use a WINS server thats in a dynamically assigned address pool. Good thing a static IP is easy and all my firewall rules used a name and not the IP - only 1 place to change the name to IP mapping instead of changing the whole firewall setup! At least I have 2 or 3 brain cells left!

Took me awhile to figure out where to do it in the GUI since it rejects my SSH for not having a an RSA key. I don't see where I can give it an RSA key!

Starting OS version 8.3, this statement is no longer applicable since then no NAT is by default.

I myself prefer the following NAT exemption

access-list nonat_vlan20-vlan40 permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0
nat (vlan20) 0 access-list nonat_vlan20-vlan40

assuming vlan20 interface has higher security level than vlan40 interface.

In older OS version (prior 8.3), there is Order of NAT explaining differences between nat 0 (NAT exemption) and static command.

+1.
while i don't speak asa very often -- i've always preferred using nat0 rather than static nat'ing in the same subnets.

if i see a nat0 statement -- i know that i don't have to worry about any crap that comes with the nat.

q.

I recalled back in the days of PIX firewalls, RSA key non-existence issue could be resolved by simply open up the GUI using HTTPS instead of regular HTTP in order to issue the certificate key.

What I usually do however is to do it through CLI

Should be able to generate from the CLI. Try this to start yourself off.

Regards

Thanks Hellfire, but I actually figured it out. I was thinking it was wanting MY key, like you would use for a password-less login. I was thinking maybe it wanted to verify my key and password both. It never occured to me that the key it didn't have was its OWN. I've never run into that situation before as most systems will generate a key when you install ssh. I really can't figure out why it wouldn't just auto-generate one when it comes on.

Anyway, I got it, and thanks for all your help. I got the SMB shares working as well. Just needed to specify a WINS server to hold the browse list. Easy enough to tell my Linux samba server to be a wins server and then give everyone that IP via dhcp.

Glad to help, enjoy your new ASA!

Question, what licence level do you have on the box? Able to share a "show ver | i lic" with us?

Regards

I'm not at all sure. It was gift from a friend who no longer needed it. But the command output is:

This platform has an ASA 5520 VPN Plus license.

...ahh, thanks for sharing!

Regards

Why's it matter and what's the difference?? I'm confused.

No reason, it`s just like when you get a (new) car or computer and a someone asks "what [insert feature] does it have?"

Regards

I just figured most people ask about hardware, software or whatever. License? Maybe I've been using Linux too long

License determines whether certain features are supported or are behaved as supposed to.