I am setting up a cisco asa 5505 with the base license. I can communicate from inside->outside, outside->inside, inside->home, which is my desired traffic security. I can get http, ssh, and other access from inside->home, but I can't ping from inside->home (192.168.110.0 host to 192.168.7.1 or 192.168.7.0 host).
Can someone explain. My config is listed below
interface Vlan1<br>
nameif inside<br>
security-level 100<br>
ip address 192.168.110.254 255.255.255.0 <br>
!<br>
interface Vlan2<br>
nameif outside<br>
security-level 0<br>
pppoe client vpdn group birdie<br>
ip address removedIP 255.255.255.255 pppoe <br>
!<br>
interface Vlan3<br>
no forward interface Vlan1<br>
nameif home<br>
security-level 50<br>
ip address 192.168.7.1 255.255.255.0 <br>
! <br>
interface Ethernet0/0<br>
switchport access vlan 2<br>
! <br>
interface Ethernet0/1<br>
! <br>
interface Ethernet0/2<br>
! <br>
interface Ethernet0/3<br>
! <br>
interface Ethernet0/4<br>
switchport access vlan 3<br>
! <br>
interface Ethernet0/5<br>
shutdown <br>
! <br>
interface Ethernet0/6<br>
shutdown <br>
! <br>
interface Ethernet0/7<br>
shutdown <br>
! <br>
ftp mode passive<br>
clock timezone EST -5<br>
clock summer-time EDT recurring<br>
access-list Outside-In extended permit icmp any any <br>
access-list Outside-In extended permit tcp any any eq www <br>
access-list Outside-In extended permit tcp any any eq https <br>
access-list Outside-In extended permit tcp any any eq 5969 <br>
access-list inside_nat0_outbound extended permit ip any 192.168.111.0 255.255.255.224 <br>
access-list standardUser_splitTunnelAcl1 extended permit ip 192.168.111.0 255.255.255.0 any <br>
access-list standardUser_splitTunnelAcl1 extended permit ip 192.168.110.0 255.255.255.0 <br>any
access-list inside_in extended permit icmp any any <br>
access-list inside_in extended permit ip any any <br>
access-list home_in extended permit icmp any any <br>
access-list home_in extended permit ip any any <br>
pager lines 24<br>
logging enable<br>
logging asdm informational<br>
mtu inside 1492<br>
mtu outside 1492<br>
mtu home 1500 <br>
ip local pool vpnuser 192.168.111.5-192.168.111.20<br>
icmp unreachable rate-limit 1 burst-size 1<br>
asdm image disk0:/asdm-524.bin<br>
no asdm history enable<br>
arp timeout 14400<br>
nat-control <br>
global (outside) 1 interface<br>
nat (inside) 0 access-list inside_nat0_outbound<br>
nat (inside) 1 0.0.0.0 0.0.0.0<br>
nat (home) 1 192.168.7.0 255.255.255.0<br>
static (inside,outside) tcp interface https 192.168.110.6 https netmask 255.255.255.255 <br>
static (inside,outside) tcp interface www 192.168.110.6 www netmask 255.255.255.255 <br>
static (inside,outside) tcp interface 5969 192.168.110.12 5969 netmask 255.255.255.255 <br>
static (inside,home) 192.168.110.0 192.168.110.0 netmask 255.255.255.0 <br>
access-group inside_in in interface inside<br>
access-group Outside-In in interface outside<br>
access-group home_in in interface home<br>
route outside 0.0.0.0 0.0.0.0 RemovedIP 1<br>
-
The only thing that looks odd to me in your config is the
static(inside,home)
statement. It seems to be a no-op since the mapped and real addresses are the same. In my config, I have a dmz type network, too, and nostatic(inside,dmz)
statement. (I do havestatic(dmz,outside) ...
for externally-exposed services).Anyway, try removing that static and see what effect that has.
From Heath -
I tried to remove the static (inside,home) config, but that stopped access from my inside network to home network.
From Wayne Davis
0 comments:
Post a Comment