https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112013#M892599 <HTML><HEAD></HEAD><BODY><P>Thanks, that worked a treat. Just out of interest, would it be easy to restrict Non-Opps-Orgs to a particular IP and protocol on the inside network?</P></BODY></HTML> Tue, 16 Dec 2008 14:13:53 GMT Rex Biesty 2008-12-16T14:13:53Z https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112011#M892595 <P>Hi. We have an ASA5510 firewall and I have 2 inside interfaces (both 100 security) on different subnets, both use NAT to access the internet. I'm trying to enable traffic from one interface (192.168.1.0) to my websense server on the other (172.16.1.8) so websense displays it's blockpage message (currently when users on 192.168.1.0 access a restricted site they're getting either a 'page cannot be displayed' message or a 'Live Search' page).</P><P></P><P>I've tried adding the following commands but just cannot get it to work (not even ping). </P><P></P><P>Same-security-traffic permit inter-interface</P><P>access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0</P><P>access-list Non-Opps-Orgs_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0</P><P>nat (Non-Opps-Orgs) 0 access-list Non-Opps-Orgs_nat0_outbound</P><P></P><P>All devices use the firewall as their default gateway and there are no static routes on any on the computers. </P><P></P><P>Any ideas would be greatly appreciated.</P><P></P><P>Rex</P><P></P><P> </P><P></P> Mon, 11 Mar 2019 14:22:48 GMT https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112011#M892595 Rex Biesty 2019-03-11T14:22:48Z https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112012#M892597 <HTML><HEAD></HEAD><BODY><P>You're seeing one of the subtleties of the "nat-control" command. Because you have a nat/global pair configured on the Non-Opps-Orgs interface to the outside, that's blocking the default functionality of the "no nat-control" feature for traffic to other interfaces, such as the inside interface. This means you either have to configure an explicit nat exemption between the Non-Opps-Orgs and Inside interfaces (in both directions), or just configure static identity NAT between them (in both directions). Personally, I prefer the old-school static identity NAT, since it's easy and obvious. For example, if you add these two commands to your config I think it'll work:</P><P></P><P>static (inside,Non-Opps-Orgs) 172.16.1.0 172.16.1.0 netmask 255.255.255.0</P><P>static (Non-Opps-Orgs,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0</P><P></P></BODY></HTML> Wed, 10 Dec 2008 18:18:07 GMT https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112012#M892597 ddawson 2008-12-10T18:18:07Z https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112013#M892599 <HTML><HEAD></HEAD><BODY><P>Thanks, that worked a treat. Just out of interest, would it be easy to restrict Non-Opps-Orgs to a particular IP and protocol on the inside network?</P></BODY></HTML> Tue, 16 Dec 2008 14:13:53 GMT https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112013#M892599 Rex Biesty 2008-12-16T14:13:53Z https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112014#M892601 <HTML><HEAD></HEAD><BODY><P>You could restrict IP addresses by only doing NAT for the address(es) you want to allow, but to restrict by individual ports you'd be better off using access-lists.</P></BODY></HTML> Tue, 16 Dec 2008 15:01:10 GMT https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112014#M892601 ddawson 2008-12-16T15:01:10Z https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112015#M892602 <HTML><HEAD></HEAD><BODY><P>Might be one to research in the new year but thanks for your help anyway, much appreciated.</P></BODY></HTML> Tue, 16 Dec 2008 15:22:52 GMT https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112015#M892602 Rex Biesty 2008-12-16T15:22:52Z https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112016#M892604 <HTML><HEAD></HEAD><BODY><P>question about your answer. Once upon a time wasn't there a limit on how many net statics you could have defined? Let say you had 20 subnets each with 255 addresses?</P></BODY></HTML> Sun, 21 Dec 2008 22:08:50 GMT https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112016#M892604 whanson 2008-12-21T22:08:50Z https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112017#M892608 <HTML><HEAD></HEAD><BODY><P>There's never been a hard limit on the number of static commands you could configure, though there were (and still are) limits on how big your entire configuration could be. However, there did used to be more restrictions on statics that overlapped (they weren't allowed at all), but now you *can* have overlapping static commands and they are processed in order. For example, say you have a network static but want to map one of the addresses in the network to some other public address. This used to not be allowed, but now (as of 7.0) you can get the desired behavior as long as you configure the individual static command(s) before any more general network statics commands that would include the individual inside host(s).</P></BODY></HTML> Mon, 22 Dec 2008 17:49:31 GMT https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112017#M892608 ddawson 2008-12-22T17:49:31Z https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112018#M892611 <HTML><HEAD></HEAD><BODY><P>Hi DANA</P><P></P><P> I have a query on the ablove question.If we add the following entry</P><P> "access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0" will it work?</P><P>look for ur valuable answer..</P><P></P><P>Ullas</P></BODY></HTML> Mon, 22 Dec 2008 19:25:17 GMT https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112018#M892611 ullasupendran 2008-12-22T19:25:17Z https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112019#M892614 <HTML><HEAD></HEAD><BODY><P>Yes, that will work too, since the "nat 0 access-list" command *does* have the side effect of creating the necessary xlates for lower-to-higher traffic. Many people prefer this approach, but I still like the "old way" since it's usually fewer commands.</P></BODY></HTML> Mon, 22 Dec 2008 20:50:31 GMT https://community.cisco.com/t5/network-security/cant-pass-traffic-between-interfaces-with-the-same-security/m-p/1112019#M892614 ddawson 2008-12-22T20:50:31Z