ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
lpse2000
New Member
Posts:
26
Joined:
Tue Nov 27, 2007 4:20 pm

FWSM with interfaces of the same security level

Fri Apr 18, 2008 5:03 pm

Hey guys. I've got an FWSM with right now 2 interfaces, both the same security level. I've put in the same-security-traffic permit inter-interface in and setup my translations and access-lists/groups, but it just doesn't seem to want to work. Anyone know of how to go about this? I don't even see hits on the access-list. I've verified all other connectivity and routing works.

Code: Select all
interface Vlan10
 nameif blue
 security-level 80
 ip address 10.0.10.254 255.255.255.0
!
interface Vlan20
 nameif green
 security-level 80
 ip address 20.0.20.254 255.255.255.0
!
interface Vlan99
 nameif dfroute
 security-level 0
 ip address 9.9.9.9 255.255.255.0
!
same-security-traffic permit inter-interface
!
access-list BLUEIN extended permit icmp any any
access-list GREENIN extended permit icmp any any
!
icmp permit any echo blue
icmp permit any echo-reply blue
icmp permit any echo green
icmp permit any echo-reply green
!
nat-control
global (blue) 2 interface
global (green) 1 interface
!
nat (blue) 1 10.0.10.0 255.255.255.0
nat (green) 2 0.0.0.0 0.0.0.0
!
access-group BLUEIN in interface blue
access-group GREENIN in interface green
!
route dfroute 0.0.0.0 0.0.0.0 9.9.9.10 1
route dfroute 1.1.1.0 255.255.255.0 9.9.9.10 1
!
router ospf 99
 network 0.0.0.0 0.0.0.0 area 0
 router-id 20.0.20.254
 log-adj-changes
 redistribute static subnets tag 99
 default-information originate always metric-type 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect skinny
  inspect smtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context


Thanks in advance.[/quote]

lpse2000
New Member
Posts:
26
Joined:
Tue Nov 27, 2007 4:20 pm

Fri Apr 18, 2008 5:06 pm

Let me further clarify, we need to NAT through same-security interfaces. It works if I turn off NAT.

User avatar
ibarrere
Cisco Inferno
Posts:
10283
Joined:
Mon Jul 10, 2006 12:58 am

Sat Apr 19, 2008 1:13 pm

How are you testing connectivity?

Obviously your access-list only permits ICMP, yet you're NATting all traffic to the opposing interface IP address, surely you can ping the interface? With the type of NAT you're doing (PAT with overload), there is inherently no way to communicate further than the NAT boundary (in this case the interface that is being NATted to) without doing some sort of port-forwarding.

lpse2000
New Member
Posts:
26
Joined:
Tue Nov 27, 2007 4:20 pm

Sun Apr 20, 2008 3:55 pm

I'm testing connectivity with ping. Currently this is only a proof-of-concept lab so I only care about ICMP, we edit the access-lists to permit and deny whatever later.

Ping to the interface works because of the

Code: Select all
icmp permit any echo blue
icmp permit any echo-reply blue
icmp permit any echo green
icmp permit any echo-reply green


What I want to get to work, is that all traffic coming in on blue destined to green to get NATed to the green interface or even to a pool of IPs on the green VLAN. The interfaces have the same security level configured, so as far as I understand, by default they aren't allowed to talk to eachother unless you use the same-security-traffic permit inter-interface command. And according to Cisco http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/intfce_f.html#wp1039276, NAT is optional when going between interfaces of the same security level. We need to NAT for our purpose.[/url]

If I remove the NAT commands from the FWSM, I can ping through it and can see hits on the ACL.
Code: Select all
FWSM(config)# sh run global
FWSM(config)#

vrf-lab#sh ip route vrf blue 20.0.20.1
Routing entry for 20.0.20.0/24
  Known via "ospf 10", distance 110, metric 11, type intra area
  Redistributing via bgp 65001
  Advertised by bgp 65001 match internal external 2
  Last update from 10.0.10.254 on Vlan10, 01:23:41 ago
  Routing Descriptor Blocks:
  * 10.0.10.254, from 20.0.20.254, 01:23:41 ago, via Vlan10
      Route metric is 11, traffic share count is 1

vrf-lab#ping vrf blue 20.0.20.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

FWSM(config)# sh access-list BLUEIN
access-list BLUEIN; 1 elements
access-list BLUEIN line 1 extended permit icmp any any (hitcnt=5) 0x9dab3f18


If I make one security-level higher than the other, NATing works.

Code: Select all
FWSM(config)# sh nameif       
Interface                Name                     Security
Vlan10                   blue                      90
Vlan20                   green                     80
Vlan99                   dfroute                    0

FWSM(config)# sh run nat
nat (blue) 1 0.0.0.0 0.0.0.0
nat (green) 2 0.0.0.0 0.0.0.0

FWSM(config)# sh run global
global (green) 1 interface

FWSM(config)# clear access-list BLUEIN counters
FWSM(config)# clear access-list GREENIN counters

vrf-lab#ping vrf blue 20.0.20.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
vrf-lab#
[Resuming connection 1 to 127.0.0.41 ... ]

FWSM(config)# sh xlate
1 in use, 2 most used
PAT Global 20.0.20.254(1026) Local 10.0.10.1 ICMP id 79
FWSM(config)#

FWSM(config)# sh access-list BLUEIN
access-list BLUEIN; 1 elements
access-list BLUEIN line 1 extended permit icmp any any (hitcnt=5) 0x9dab3f18
FWSM(config)# sh access-list GREENIN
access-list GREENIN; 1 elements
access-list GREENIN line 1 extended permit icmp any any (hitcnt=5) 0xe6781713


Now if I try to ping through when it's configured so that blue traffic gets translated to the green interface and green traffic gets translated to the blue interface and they both are the same security level, NAT doesn't work.

Code: Select all
FWSM(config)# sh access-list
access-list mode auto-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list BLUEIN; 1 elements
access-list BLUEIN line 1 extended permit icmp any any (hitcnt=5) 0x9dab3f18
access-list GREENIN; 1 elements
access-list GREENIN line 1 extended permit icmp any any (hitcnt=5) 0xe6781713
FWSM(config)# clear xlate

FWSM(config)# clear access-list BLUEIN counters
FWSM(config)# clear access-list GREENIN counters

FWSM(config)# sh nameif
Interface                Name                     Security
Vlan10                   blue                      80
Vlan20                   green                     80
Vlan99                   dfroute                    0

FWSM(config)# sh run global
global (blue) 2 interface
global (green) 1 interface

vrf-lab#ping vrf blue 20.0.20.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.20.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
vrf-lab#ping vrf green 10.0.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
vrf-lab#
[Resuming connection 1 to 127.0.0.41 ... ]

FWSM(config)# sh xlate
0 in use, 2 most used
FWSM(config)# sh access-list
access-list mode auto-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list BLUEIN; 1 elements
access-list BLUEIN line 1 extended permit icmp any any (hitcnt=0) 0x9dab3f18
access-list GREENIN; 1 elements
access-list GREENIN line 1 extended permit icmp any any (hitcnt=0) 0xe6781713


In fact it's not even getting to the ACL check. From what I understand about how the FWSMs work, inbound traffic gets sanity checked. Then security checked to see if the source and destination meet the configured security levels and translation configurations. Then it runs through the ACL checks. It's almost like I haven't turned on the right switch, but the only one I know of is the same-security-traffic permit inter-interface and it doesn't seem to be working correctly.

Anyone have experience doing translation through same security level interfaces?

Sorry for the long post, and again, thanks in advance.

harleyd
New Member
Posts:
1
Joined:
Wed Jun 27, 2012 11:09 am
Certs:
CCNP

Re: FWSM with interfaces of the same security level

Wed Jun 27, 2012 11:19 am

You may want to try turning icmp inspection on to correct this issue.

Here is a sample:


global (outside) 5 50.50.50.50
access-list TEST1 extended permit ip host 10.10.180.181 any
access-list TEST1 extended permit ip host 10.10.180.182 any
nat (inside) 5 access-list TEST1

doing a tcp session from either of the 2 patted hosts works, but icmp replies do not get correctly mapped

turning on the following corrects the issue with icmp
policy-map global_policy
class inspection_default
inspect icmp

Hope this helps, its the only way I was able to get ICMP replies to work through a global.

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: FWSM with interfaces of the same security level

Wed Jun 27, 2012 4:07 pm

Thread is four years old man.
http://blog.alwaysthenetwork.com

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 30 guests