topic Re: no communication between same security interfaces in Network Security

no communication between same security interfaces

mekael.itzik — Mon, 11 Mar 2019 16:25:05 GMT

I cannot open shared network drive and ping between two interfaces with same security level.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan3

nameif inside_wlan

security-level 100

ip address 10.10.10.1 255.255.255.0

same-security-traffic permit inter-interface

access-list outside_access_in extended permit icmp any any echo-reply

access-list inside_access_in extended permit tcp object-group network_group_inside any object-group service_group_inside2otside_tcp

access-list inside_access_in extended permit udp object-group network_group_inside any object-group service_group_inside2outside_udp

access-list inside_access_in extended permit icmp any any

access-list inside_wlan_access_in extended permit tcp object-group network_group_inside_wlan any object-group service_group_inside_wlan2otside_tcp

access-list inside_wlan_access_in extended permit udp object-group network_group_inside_wlan any object-group service_group_inside_wlan2outside_udp

access-list inside_wlan_access_in extended permit icmp any any

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside_wlan) 1 10.10.10.0 255.255.255.0

static (inside,outside) tcp interface 4662 home 4662 netmask 255.255.255.255

static (inside,outside) udp interface 4672 home 4672 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group inside_wlan_access_in in interface inside_wlan

Re: no communication between same security interfaces

Kureli Sankar — Mon, 12 Oct 2009 00:51:45 GMT

I believe you need the following:

static (inside,inside_wlan) 192.168.1.0 192.168.1.0 net 255.255.255.0

Pls. enable logging:

loggin on

logging buffered 7

sh logg | i 192.168.1.x

When you ping the 10.10.10.x host from a 192.68.1.x host.

Here is the link for same security intra/inter:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wpxref77088

Re: no communication between same security interfaces

mekael.itzik — Mon, 12 Oct 2009 02:03:19 GMT

Thank you for help.

After that I did

static (inside,inside_wlan) 192.168.1.0 192.168.1.0 net 255.255.255.0

I got this log from ASA 5505:

Oct 11 2009 22:58:37 ciscoasa : %ASA-6-302020: Built inbound ICMP connection for faddr home/0 gaddr 192.168.1.1/0 laddr 192.168.1.1/0

Oct 11 2009 22:58:37 ciscoasa : %ASA-6-302021: Teardown ICMP connection for faddr home/0 gaddr 192.168.1.1/0 laddr 192.168.1.1/0

And from Kiwi log viwer:

ciscoasa : %ASA-3-305005: No translation group found for icmp src inside:home dst inside_wlan:lp-mekael (type 8, code 0)

Re: no communication between same security interfaces

mekael.itzik — Mon, 12 Oct 2009 02:15:35 GMT

I added one more line and it began to work.

Can you explain me by short explanation why it works.

static (inside,inside_wlan) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (inside_wlan,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Re: no communication between same security interfaces

Kureli Sankar — Mon, 12 Oct 2009 11:28:39 GMT

The static line is required because you have nat/global configured for those 192 and 10 networks.

Once you provide a nat/global then, the flow will require translation for any other flow between any other interfaces meaning NO NAT-CONTROL will not have any effect and it will be considered NAT-CONTROL. We just provided the identity translation that it needs.

That is all.

If you did not have the nat/global for both these networks then, the no nat-control in the configuration would have kicked in and there would not have been a need to add identity static to get this to work.

I hope this is clear. If not pls. let us know.

Re: no communication between same security interfaces

mekael.itzik — Mon, 12 Oct 2009 14:17:11 GMT

Thank you for your help !!!