https://community.cisco.com/t5/network-security/asa5510-unable-communication-between-eth0-1-and-eth0-2/m-p/1414789#M750611 <P>I have seen some previous posts regarding this matter but the solution is not quite clear.&nbsp; Here is my issue:</P><P><BR />I have a ASA5510 that has the following configuration:</P><P>ethernet 0/0 outside security level 0<BR />ethernet 0/1 inside security level 100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (192.168.2.0/24)<BR />ethernet 0/2 private security level 100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (192.168.3.0/24)</P><P></P><P>same−security−traffic permit inter−interface</P><P>access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0 <BR />access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.3.0 255.255.255.0 <BR />nat (Inside) 0 access-list nonat<BR />nat (Inside) 1 0.0.0.0 0.0.0.0<BR />nat (private) 0 access-list nonat<BR />nat (private) 1 0.0.0.0 0.0.0.0</P><P><BR />The servers on both were able to access internet. However, they cannot talk to each other. When I ping between 2 sides, the firewall log showed:</P><P>portmap translation creation failed for icmp src Inside:192.168.2.151dst private:192.168.3.101(type 8, code 0)</P><P></P><P>I am not sure what do I miss. Can anyone help?</P><P></P><P>Thanks in advance</P> Mon, 11 Mar 2019 17:00:17 GMT members1st 2019-03-11T17:00:17Z https://community.cisco.com/t5/network-security/asa5510-unable-communication-between-eth0-1-and-eth0-2/m-p/1414789#M750611 <P>I have seen some previous posts regarding this matter but the solution is not quite clear.&nbsp; Here is my issue:</P><P><BR />I have a ASA5510 that has the following configuration:</P><P>ethernet 0/0 outside security level 0<BR />ethernet 0/1 inside security level 100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (192.168.2.0/24)<BR />ethernet 0/2 private security level 100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (192.168.3.0/24)</P><P></P><P>same−security−traffic permit inter−interface</P><P>access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0 <BR />access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.3.0 255.255.255.0 <BR />nat (Inside) 0 access-list nonat<BR />nat (Inside) 1 0.0.0.0 0.0.0.0<BR />nat (private) 0 access-list nonat<BR />nat (private) 1 0.0.0.0 0.0.0.0</P><P><BR />The servers on both were able to access internet. However, they cannot talk to each other. When I ping between 2 sides, the firewall log showed:</P><P>portmap translation creation failed for icmp src Inside:192.168.2.151dst private:192.168.3.101(type 8, code 0)</P><P></P><P>I am not sure what do I miss. Can anyone help?</P><P></P><P>Thanks in advance</P> Mon, 11 Mar 2019 17:00:17 GMT https://community.cisco.com/t5/network-security/asa5510-unable-communication-between-eth0-1-and-eth0-2/m-p/1414789#M750611 members1st 2019-03-11T17:00:17Z https://community.cisco.com/t5/network-security/asa5510-unable-communication-between-eth0-1-and-eth0-2/m-p/1414790#M750644 <HTML><HEAD></HEAD><BODY><P>Your access-list appears incorrect.</P><P>Pls. change it to the following:</P><P>access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 <BR />access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0</P><P></P><P>-KS</P></BODY></HTML> Fri, 22 Jan 2010 03:49:25 GMT https://community.cisco.com/t5/network-security/asa5510-unable-communication-between-eth0-1-and-eth0-2/m-p/1414790#M750644 Kureli Sankar 2010-01-22T03:49:25Z https://community.cisco.com/t5/network-security/asa5510-unable-communication-between-eth0-1-and-eth0-2/m-p/1414791#M750674 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P></P><P>I see that you are facing assymetric routing issue in your n/w.</P><P></P><P>Is the default gateway of users behind Private and inside ifc the ASA itself or do you have a layer 3 device like router ? If you have one. then let the router handle the inter subnet communication.</P><P></P><P>Should you not have any router, then you could try using TCP State Bypass mechanism in ASA (8.2(x) + only).</P><P></P><P>Please read more about tcp-state-bypass method to overcome assymetric routing issues:</P><P></P><P><A class="jive-link-external-small" href="http://cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html">http://cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html</A></P><P></P><P>HTH</P><P></P><P>Vijaya</P></BODY></HTML> Fri, 22 Jan 2010 04:05:14 GMT https://community.cisco.com/t5/network-security/asa5510-unable-communication-between-eth0-1-and-eth0-2/m-p/1414791#M750674 vilaxmi 2010-01-22T04:05:14Z https://community.cisco.com/t5/network-security/asa5510-unable-communication-between-eth0-1-and-eth0-2/m-p/1414792#M750700 <HTML><HEAD></HEAD><BODY><P>After change the access-list and it works.</P><P></P><P>Thank you so much.</P></BODY></HTML> Fri, 22 Jan 2010 15:09:36 GMT https://community.cisco.com/t5/network-security/asa5510-unable-communication-between-eth0-1-and-eth0-2/m-p/1414792#M750700 members1st 2010-01-22T15:09:36Z