topic Here is the output. in Network Security

Passing traffic across interfaces with same security levels.

ddevecka — Tue, 12 Mar 2019 06:44:05 GMT

I am trying to pass traffic across 2 interfaces with the same security levels and I can't seem to get it to work past the Firewall its self. I can ping across the firewall to the other network, but I can't get this to function from a network PC. I am running and ASA 5505, and I have enter the same-security commands as well.

Any help would be appreciated.

You can try exempting the

Marvin Rhoads — Mon, 12 Oct 2015 12:58:17 GMT

You can try exempting the traffic from inside to inside1 from NAT.

As is, the configuration will cause that traffic to hit the global NAT rule.

I am newer to ASA, so how

ddevecka — Mon, 12 Oct 2015 13:50:23 GMT

I am newer to ASA, so how would I do this?

Add an entry in your access

Marvin Rhoads — Mon, 12 Oct 2015 14:34:24 GMT

Add an entry in your access list as follows:

access-list inside_nat0_outbound extended permit ip 192.168.153.0 255.255.255.0 192.168.169.0 255.255.0.0

That will make sure the ASA does not NAT the traffic between those two interfaces.

Just tried that and I still

ddevecka — Mon, 12 Oct 2015 18:39:22 GMT

Just tried that and I still can't ping from the network. All is working from the ASA but not the network.

Please run the following

Marvin Rhoads — Mon, 12 Oct 2015 18:43:41 GMT

Please run the following command and share the output:

packet-tracer input inside icmp 192.168.153.10 0 0 192.168.169.10

(The specific source and destination IP addresses aren't critical as long as they are valid within their respective subnets - this just tests the logic of the ASA configuration for passing pings from one subnet to the other.)

Here is the output.

ddevecka — Mon, 12 Oct 2015 19:29:00 GMT

Here is the output.

The output shows you are

Marvin Rhoads — Mon, 12 Oct 2015 20:07:56 GMT

The output shows you are still hitting "nat 1" and not "nat 0" (exemption).See phase 6 where it tells us:

nat (inside) 1 0.0.0.0 0.0.0.0

and following it highlights the problem:

translate_hits = 140, untranslate_hits = 0

I realize I made a typo in the access-list entry I suggested: the destination netmask should be /24 (although the more general netmask should still cover it):

access-list inside_nat0_outbound extended permit ip 192.168.153.0 255.255.255.0 192.168.169.0 255.255.255.0

Can you try that and also provide the output of:

show run access-list inside_nat0_outbound

...and rerun the packet-tracer.

I caught the subnet and fixed

ddevecka — Mon, 12 Oct 2015 20:35:12 GMT

I caught the subnet and fixed it before entering.

Did you have any further

ddevecka — Wed, 14 Oct 2015 19:07:55 GMT

Did you have any further ideas on this?

Hi,

Vibhor Amrodia — Wed, 14 Oct 2015 19:17:39 GMT

Hi,

If i understand it correctly , you are trying to ping from a PC in Subnet:-

192.168.169.x(Network) from the 192.168.153.x subnet(inside)

With the same configuration , first try enabling this command:-

fixup protocol icmp

If this doesn't work , try this:-

Remove the NAT exempt and configure this NAT statement:-

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
global (network) 1 interface

Let me know if this works ?

Thanks and Regards,

Vibhor Amrodia

I am trying to ping the

ddevecka — Wed, 14 Oct 2015 19:23:27 GMT

I am trying to ping the interfaces on far end interface from the 192.168.152.X side.

So I am on a machine on the 192.168.153.X side and I am just trying to ping the 192.168.169.2 interface.

I will have to wait till

ddevecka — Wed, 14 Oct 2015 19:25:44 GMT

I will have to wait till after business hours tomorrow to do the other as this is a production firewall.

Hi,This will never work on

Vibhor Amrodia — Wed, 14 Oct 2015 19:26:21 GMT

Hi,

This will never work on the ASA device and is expected.

Thanks and Regards,

Vibhor Amrodia

Fixup did not work.

ddevecka — Wed, 14 Oct 2015 19:26:28 GMT

Fixup did not work.

I thought with the same

ddevecka — Wed, 14 Oct 2015 19:33:54 GMT

I thought with the same-security-traffic command you could communicate across interfaces with same security levels.

Hi,As i pointed out earlier ,

Vibhor Amrodia — Wed, 14 Oct 2015 19:34:31 GMT

Hi,

As i pointed out earlier , if you are trying to ping the far end interface , it would never work on the ASA devices.

You have to ping another device in that far end network.

Thanks and Regards,

Vibhor Amrodia

Hi,Yes , with this command ,

Vibhor Amrodia — Wed, 14 Oct 2015 19:47:08 GMT

Hi,

Yes , with this command , you can communicate with with the networks on the two interfaces. It will only not work for the far end interface on the ASA device.

Thanks and Regards,

Vibhor Amrodia