https://community.cisco.com/t5/network-security/cisco-asa-inside-to-inside-routing-problem/m-p/2886861#M157112 <P>Hi</P> <P>sorry for my short answer I'm on the bus right now.</P> <P>why are you using nat?</P> <P>did you activate same-security interface feature?</P> <P>thanks</P> Mon, 04 Jul 2016 23:26:22 GMT Francesco Molino 2016-07-04T23:26:22Z https://community.cisco.com/t5/network-security/cisco-asa-inside-to-inside-routing-problem/m-p/2886860#M157109 <P>Hello. I have two interfaces configured on ASA - 'inside' 10.100.60.1/24 and 'balancers' 10.100.40.1/24</P> <P>Also I have router R1 and subnet 10.100.7.0/24 &nbsp;behind. &nbsp;R1 has 2 interfaces - 10.100.70.1/24 and 10.100.60.150/24</P> <P><SPAN style="text-decoration: underline;">Problem is that i <SPAN style="color: #000000; text-decoration: underline;">can't reach subnet 10.100.70.0/24 from host&nbsp;10.100.60.34 (</SPAN><SPAN style="color: #000000; text-decoration: underline;">Default gateway&nbsp;is ASA 10.100.60.1)</SPAN></SPAN></P> <P>I can&nbsp;successfully reach&nbsp;<SPAN>subnet 10.100.70.0/24 from ASA itself or from other subnets like 10.100.40.0/24</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>I have access rules for both directions:</SPAN></P> <P><SPAN>access-list access-inside-in extended permit ip object-group net_10.100.70 object-group net_10.100.60</SPAN><SPAN><BR />access-list access-inside-in extended permit ip object-group net_10.100.60 object-group net_10.100.70</SPAN></P> <P><SPAN>Also i have NAT rules with 'route-lookup':</SPAN></P> <P>nat (any,inside) source static internal_nets internal_nets destination static net_10.100.60 net_10.100.60 no-proxy-arp route-lookup</P> <P><SPAN>nat (any,inside) source static internal_nets internal_nets destination static net_10.100.70 net_10.100.70 no-proxy-arp route-lookup</SPAN></P> <P>nat (any,balancers) source static internal_nets internal_nets destination static net_10.100.40 net_10.100.40 no-proxy-arp route-lookup</P> <P></P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/net70_1.png" class="migrated-markup-image" /></P> <P></P> <P>interface GigabitEthernet0/2.60<BR /> vlan 60<BR /> nameif inside<BR /> security-level 100<BR /> ip address 10.100.60.1 255.255.255.0 standby 10.100.60.2</P> <P></P> <P>interface GigabitEthernet0/1.40<BR /> vlan 40<BR /> nameif balancers<BR /> security-level 60<BR /> ip address 10.100.40.1 255.255.255.0 standby 10.100.40.2</P> <P></P> <P># show route</P> <P></P> <P>S 10.100.70.0 255.255.255.0 [1/0] via 10.100.60.150, inside<BR />C 10.100.40.0 255.255.255.0 is directly connected, balancers<BR />C 10.100.60.0 255.255.255.0 is directly connected, inside</P> <P>C ............</P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>packet-tracer input inside icmp 10.100.60.34 8 0 10.100.70.103</SPAN></P> <P><SPAN></SPAN>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P> <P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 10.100.70.0 255.255.255.0 inside</P> <P>Phase: 3<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (any,inside) source static internal_nets internal_nets destination static net_10.100.60 net_10.100.60 no-proxy-arp route-lookup&nbsp;<BR />Additional Information:<BR />NAT divert to egress interface inside<BR />Untranslate 10.100.70.103/0 to 10.100.70.103/0</P> <P>Phase: 4<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P> <P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> <P></P> Tue, 12 Mar 2019 07:59:08 GMT https://community.cisco.com/t5/network-security/cisco-asa-inside-to-inside-routing-problem/m-p/2886860#M157109 rStelmakh.loyalty-partners 2019-03-12T07:59:08Z https://community.cisco.com/t5/network-security/cisco-asa-inside-to-inside-routing-problem/m-p/2886861#M157112 <P>Hi</P> <P>sorry for my short answer I'm on the bus right now.</P> <P>why are you using nat?</P> <P>did you activate same-security interface feature?</P> <P>thanks</P> Mon, 04 Jul 2016 23:26:22 GMT https://community.cisco.com/t5/network-security/cisco-asa-inside-to-inside-routing-problem/m-p/2886861#M157112 Francesco Molino 2016-07-04T23:26:22Z https://community.cisco.com/t5/network-security/cisco-asa-inside-to-inside-routing-problem/m-p/2886862#M157116 <P>This rules wasn't configured by me but i guess it stands for security.</P> <P>Are you asking about '<STRONG>noproxyarp</STRONG>' option? It is disabled for all interfaces</P> <P>asa01# show run all sysopt<BR />no sysopt connection timewait<BR />sysopt connection tcpmss 1380<BR />sysopt connection tcpmss minimum 0<BR />sysopt connection permit-vpn<BR />sysopt connection reclassify-vpn<BR />no sysopt connection preserve-vpn-flows<BR />no sysopt radius ignore-secret<BR />no sysopt noproxyarp out<BR />no sysopt noproxyarp public<BR />no sysopt noproxyarp outside<BR />no sysopt noproxyarp dmz<BR /><STRONG>no sysopt noproxyarp balancers</STRONG><BR />no sysopt noproxyarp in<BR /><STRONG>no sysopt noproxyarp inside</STRONG><BR />no sysopt noproxyarp management</P> <P>.....</P> Tue, 05 Jul 2016 07:16:34 GMT https://community.cisco.com/t5/network-security/cisco-asa-inside-to-inside-routing-problem/m-p/2886862#M157116 rStelmakh.loyalty-partners 2016-07-05T07:16:34Z https://community.cisco.com/t5/network-security/cisco-asa-inside-to-inside-routing-problem/m-p/2886863#M157118 <P>Hi</P> <P>I don't see why you have nat exemption as the traffic remains on inside interface.</P> <P>Also verify that Same-security-traffic permit intra-interface is configured on your asa.&nbsp;</P> <P>Thanks&nbsp;</P> <P>PS: Please don't forget to rate and mark as correct answer if this solved your issue&nbsp;</P> Tue, 05 Jul 2016 11:15:13 GMT https://community.cisco.com/t5/network-security/cisco-asa-inside-to-inside-routing-problem/m-p/2886863#M157118 Francesco Molino 2016-07-05T11:15:13Z https://community.cisco.com/t5/network-security/cisco-asa-inside-to-inside-routing-problem/m-p/2886864#M157120 <P>I did '<STRONG>same-security-traffic permit intra-interface</STRONG>' and&nbsp;the problem is solved</P> <P>Thanks very much!</P> Tue, 05 Jul 2016 12:16:02 GMT https://community.cisco.com/t5/network-security/cisco-asa-inside-to-inside-routing-problem/m-p/2886864#M157120 rStelmakh.loyalty-partners 2016-07-05T12:16:02Z https://community.cisco.com/t5/network-security/cisco-asa-inside-to-inside-routing-problem/m-p/2886865#M157122 <P>You're very welcome&nbsp;</P> Tue, 05 Jul 2016 12:59:59 GMT https://community.cisco.com/t5/network-security/cisco-asa-inside-to-inside-routing-problem/m-p/2886865#M157122 Francesco Molino 2016-07-05T12:59:59Z