topic Need fluid traffic between two same security level interfaces in Network Security

Need fluid traffic between two same security level interfaces

Eduardo Guerra — Tue, 12 Mar 2019 03:27:36 GMT

Dear Sirs I am configuring an ASA5510 before implementing it on my network. I have 1 ISP for internet connected to Outside Interface, a DMZ Interfaces and 2 inside interfaces. One of these inside interfaces is Outside1 will be connected to a router that will have Fiber and Antenas for communicating with our small offices. I need fluid traffic between Inside an Outside1. I tried using some advices but still not working. Here's my configuration. Can you help me?

: Saved

ASA Version 8.2(1)

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

nameif Outside

security-level 0

ip address X.X.X.X y.y.y.y

interface Ethernet0/1

nameif Outside1

security-level 100

ip address 192.168.2.2 255.255.255.0

interface Ethernet0/2

nameif DMZ

security-level 10

ip address 172.16.31.1 255.255.255.0

interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.100.1 255.255.255.0

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit ip any any

access-list dmz_in extended permit icmp any any

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host x.x.x..163 eq smtp

access-list 100 extended permit udp any host x.x.x.163 eq domain

access-list 100 extended permit tcp any host x.x.x.163 eq https

access-list 100 extended permit tcp any host x.x.x.163 eq www

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.100.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (Inside,DMZ) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (DMZ,Outside) x.x.x.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

access-group 100 in interface Outside

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 x.x.x.161 1

route Outside1 172.1.1.0 255.255.255.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.100.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:b5e4725e47eea02221510b282e9e5843

: end

Thanks in advanced

Eduardo Guerra

Need fluid traffic between two same security level interfaces

Collin Clark — Fri, 10 Jan 2014 04:47:03 GMT

So is there no communications from inside to outside1?

Need fluid traffic between two same security level interfaces

Eduardo Guerra — Fri, 10 Jan 2014 13:37:22 GMT

Yes, there is no communication. I tried pinging from a computer connected to Inside to computer connected to Outside1 and viceversa, also i tried to access shared resources from each computer with negative results

Need fluid traffic between two same security level interfaces

prateeve — Fri, 10 Jan 2014 13:42:58 GMT

Hi,

Try to use the following command"

same-security-traffic permit inter-interface

- Prateek Verma

Need fluid traffic between two same security level interfaces

Collin Clark — Fri, 10 Jan 2014 14:08:46 GMT

Can you post the results of this command?

packet-tracer input inside tcp 192.168.100.5 9823 192.168.2.10 80 detail

and

packet-tracer input Outside1 tcp 192.168.2.10 9823 192.168.100.5 80 detail

Need fluid traffic between two same security level interfaces

Eduardo Guerra — Fri, 10 Jan 2014 19:12:17 GMT

Here are the results:

packet-tracer input inside tcp 192.168.100.5 9823 192.168.2.10 80 detail (Last 2 Phases)

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (Inside,DMZ) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

match ip Inside 192.168.100.0 255.255.255.0 DMZ any

static translation to 192.168.100.0

translate_hits = 0, untranslate_hits = 471

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab9355d0, priority=5, domain=host, deny=false

hits=1611, user_data=0xab934f90, cs_id=0x0, reverse, flags=0x0, protocol

src ip=192.168.100.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: DROP

Config:

nat (Inside) 101 0.0.0.0 0.0.0.0

match ip Inside any Outside1 any

dynamic translation to pool 101 (No matching global)

translate_hits = 94, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab9309e8, priority=1, domain=nat, deny=false

hits=93, user_data=0xabeffa80, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside1

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

packet-tracer input Outside1 tcp 192.168.2.10 9823 192.168.100.5 80 detail (Last 2 Phases)

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab7f6198, priority=0, domain=permit-ip-option, deny=true

hits=776, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: DROP

Config:

nat (Outside1) 101 0.0.0.0 0.0.0.0

match ip Outside1 any Inside any

dynamic translation to pool 101 (No matching global)

translate_hits = 1, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac0c13f8, priority=1, domain=nat, deny=false

hits=0, user_data=0xac0c1338, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Outside1

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Also i added this command:

nat (Outside1) 101 0.0.0.0 0.0.0.0

Need fluid traffic between two same security level interfaces

prateeve — Fri, 10 Jan 2014 19:28:01 GMT

Hi,

Try to put in following commands:

static (Inside,outside1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

- Prateek Verma

Need fluid traffic between two same security level interfaces

Eduardo Guerra — Thu, 16 Jan 2014 05:16:17 GMT

Dear Prateek, configurationo is like this and i can connect between interfaces but i cant access to network 172.1.1.0 that is connected to another router that is connected to interface Outside1. Any suggestion for this?

ASA Version 8.2(1)

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

nameif Outside

security-level 0

ip address 200.87.200.162 255.255.255.248

interface Ethernet0/1

nameif Outside1

security-level 100

ip address 192.168.2.1 255.255.255.0

interface Ethernet0/2

nameif DMZ

security-level 10

ip address 172.16.31.1 255.255.255.0

interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit ip any any

access-list dmz_in extended permit icmp any any

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host 200.87.226.163 eq smtp

access-list 100 extended permit udp any host 200.87.226.163 eq domain

access-list 100 extended permit tcp any host 200.87.226.163 eq https

access-list 100 extended permit tcp any host 200.87.226.163 eq www

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.0.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Inside

icmp permit 192.168.0.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Outside1) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) 200.87.200.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group 100 in interface Outside

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 200.87.200.161 1

route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:6dfac383495fa18bde8783c7d47c3d81

: end

Thanks in advanced

Need fluid traffic between two same security level interfaces

James Leinweber — Thu, 16 Jan 2014 17:10:04 GMT

What happens if you increase the routing distance for the default route, e.g.

route Outside 0.0.0.0 0.0.0.0 200.87.200.161 20

-- Jim Leinweber, WI State Lab of Hygiene

Need fluid traffic between two same security level interfaces

Eduardo Guerra — Thu, 16 Jan 2014 18:58:54 GMT

Default route is for internet use. Another static route is for connecting headquater with another offices

Need fluid traffic between two same security level interfaces

Eduardo Guerra — Fri, 17 Jan 2014 14:48:08 GMT

I've modified route like James told but no changes. I run a this packet tracer and result is this

Packet Tracer:

packet-tracer input inside tcp 192.168.0.5 9823 172.1.1.10 80 detail

Result:

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.1.1.0 255.255.255.0 Outside1

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab8755c8, priority=2, domain=permit, deny=false

hits=175, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab877570, priority=0, domain=permit-ip-option, deny=true

hits=299, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

match ip Inside 192.168.0.0 255.255.255.0 Outside1 any

static translation to 192.168.0.0

translate_hits = 179, untranslate_hits = 18292

Additional Information:

Static translate 192.168.0.0/0 to 192.168.0.0/0 using netmask 255.255.255.0

Forward Flow based lookup yields rule:

in id=0xab94c948, priority=5, domain=nat, deny=false

hits=175, user_data=0xab94c0a0, cs_id=0x0, flags=0x0, protocol=0

src ip=192.168.0.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

match ip Inside 192.168.0.0 255.255.255.0 DMZ any

static translation to 192.168.0.0

translate_hits = 0, untranslate_hits = 11

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab811c80, priority=5, domain=host, deny=false

hits=18742, user_data=0xab8d1270, cs_id=0x0, reverse, flags=0x0, protoco

l=0

src ip=192.168.0.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (Outside1) 101 0.0.0.0 0.0.0.0

match ip Outside1 any Inside any

dynamic translation to pool 101 (No matching global)

translate_hits = 309, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

out id=0xab93f558, priority=1, domain=nat-reverse, deny=false

hits=74, user_data=0xab93f2e8, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside1

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Any ideas for solving this route issue?

Need fluid traffic between two same security level interfaces

Collin Clark — Fri, 17 Jan 2014 15:44:17 GMT

There is no NAT so it's failing.

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (Outside1) 101 0.0.0.0 0.0.0.0

match ip Outside1 any Inside any

dynamic translation to pool 101 (No matching global)

Have you tried Prateek's commands?

static (Inside,outside1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Prateek's commands are one way to fix it.

You could also try-

global (Inside) 102 interface

nat (Outside1) 102 0 0

Need fluid traffic between two same security level interfaces

Eduardo Guerra — Fri, 17 Jan 2014 16:55:08 GMT

Dear Collin, do these lines:

global (Inside) 102 interface

nat (Outside1) 102 0 0

will not restrict traffic to the internet by interface Outside?

Need fluid traffic between two same security level interfaces

Collin Clark — Fri, 17 Jan 2014 16:58:10 GMT

Those lines will nat traffic from Outside1 to the Inside using the IP assigned to the Inside interface.

Need fluid traffic between two same security level interfaces

Eduardo Guerra — Fri, 17 Jan 2014 20:13:32 GMT

Collin, Here's my network diagram. I need to use static routes from Lan to 172.1.x.x to communicate other offices with headquater LAN (I need NAT no PAT as you suggested answer before). Also i need to communicate branch offices with email server. Actually the service router i am using to connect branch offices is Cisco RV016 but in the near future it will be ISR G2 Cisco 892

If you need some more explanation to solve routing issue, please tell. also here's the up to date configuration

ASA Version 8.2(1)

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

nameif Outside

security-level 0

ip address x.x.x.162 255.255.255.248

interface Ethernet0/1

nameif Outside1

security-level 100

ip address 192.168.2.1 255.255.255.0

interface Ethernet0/2

nameif DMZ

security-level 10

ip address 172.16.31.1 255.255.255.0

interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit ip any any

access-list dmz_in extended permit icmp any any

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host x.x.x.163 eq smtp

access-list 100 extended permit udp any host x.x.x.163 eq domain

access-list 100 extended permit tcp any host x.x.x.163 eq https

access-list 100 extended permit tcp any host x.x.x.163 eq www

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.0.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Inside

icmp permit 192.168.0.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Outside1) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) 200.87.200.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group 100 in interface Outside

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 x.x.x.161 20

route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:3235bd0aa15e755b360cd2fb30b227ef

: end

Need fluid traffic between two same security level interfaces

Collin Clark — Fri, 17 Jan 2014 23:10:09 GMT

So the satelitte offices connect to Inside to access ERP, voice, video, etc and you do not want them to NAT? They also need to get out to the internet through your firewall for email correct?

Need fluid traffic between two same security level interfaces

Eduardo Guerra — Fri, 17 Jan 2014 23:40:53 GMT

Yes, you are right

Also email must be able for LAN users, and branch offices users. I have communication between Inside and DMZ (Email server is on DMZ) so LAN users can connect to email.

Need fluid traffic between two same security level interfaces

Collin Clark — Sat, 18 Jan 2014 04:33:13 GMT

Try-

static (Inside,outside1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (outside1,DMZ) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

Need fluid traffic between two same security level interfaces

Eduardo Guerra — Sat, 18 Jan 2014 16:33:14 GMT

Dear Collin, those lines are already inserted in the conf. I cannot reach anyway network 172.1.x.x even if i have static route to that network (i have point that network 172.1.x.x is connected to a router that is connected to interface Outside1). Do i have to insert an ACL or what should i do to reach that network

Need fluid traffic between two same security level interfaces

Collin Clark — Sat, 18 Jan 2014 19:51:52 GMT

From the router in the diagram can you access anything in the Inside or DMZ?