topic Re: ASA 5520 & same security level in Network Security

ASA 5520 & same security level

Andrei Scurupii — Fri, 21 Feb 2020 09:14:23 GMT

Hello,

Have ASA 5520.

Giga0/0 nameif outside, sec 0 - to internet

Giga0/1 nameif inside, sec 100 - to lan

Giga 0/2 namif wan, sec 100 - to branch offces router.

I've aplied command same-security-traffic permit inter-interface, but no result. Can't access from one to another interface with the same security level.

At asdm log apears next message: No route from lan_ip_addr to wan_ip_addr.

Could you help me to resolve this problem?

Re: ASA 5520 & same security level

a.kiprawih — Mon, 16 Oct 2006 14:05:55 GMT

After you add "same-security-traffic permit inter-interface", the next thing to do is to permit inside and wan to talk to each other. Example:

inside - 10.1.1.0/24

wan - 10.1.2.0/24

static (inside,wan) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

static (wan,inside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247c.html#wp1009571

HTH

Re: ASA 5520 & same security level

Andrei Scurupii — Mon, 16 Oct 2006 15:38:55 GMT

Hi, thanks.. it works.. one more question

beside wan interface i have router with one int to ASA (10.1.2.x) and another to office (11.1.1.x).

From this router can ping lacal lan (10.1.1.0).

But then i ping with sourse int. 11.1.1.x - I cant ping lan. And at ASA logs apears: no route found from 11.1.1.x to 10.1.1.x

Re: ASA 5520 & same security level

a.kiprawih — Mon, 16 Oct 2006 16:13:31 GMT

In other words (correct me if I am wrong), the router has 2 FastE interfaces, one end connected to ASA and carry 10.1.2.x ip, while another FastE interface assigned with 11.1.1.x ip and connected to another 11.1.1.0 segment.

You can't ping it because your ASA does not recognised or can reach (route) 11.1.1.x.

On ASA:

a. Add static route to the router:

route wan 11.1.1.0 255.255.255.0 10.1.1.x

b. Permit icmp to wan interface from 11.1.1.x

icmp permit host 11.1.1.x any wan -or-

icmp permit 11.1.1.0 255.255.255.0 any wan

Optional:

On your router, if all access need to point back to ASA, then create default route to ASA (or add specific route):

ip route 0.0.0.0 0.0.0.0 10.1.2.y --> ASA wan interface IP

HTH. Pls rate all helpful posts.