topic Re: ASA interfaces in Network Security

ASA interfaces

veena_kompal — Mon, 11 Mar 2019 14:20:32 GMT

Hi there..

There are 2 interfaces configured on ASA, where one is connected to 10.x.x.x and the other connected to 192.x.x.x ..the problem is there seems to be no communication between these two..any suggestions.

FYI: they hav the same security level and the command to same-security-traffic permit inter-interface but still doesnt work..

Thanks

Re: ASA interfaces

John Blakley — Wed, 03 Dec 2008 14:52:21 GMT

Can you ping the interface from the ASA itself, or are you trying to ping from a device in 10.x.x.x to a device in 192.x.x.x?

If the latter, try this:

Say you have 192.168.1.0 in a DMZ and 10.0.0.0 on your inside

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

clear xlate

See if you can ping the device now.

HTH,

John

Re: ASA interfaces

veena_kompal — Wed, 03 Dec 2008 15:35:47 GMT

thanks John..

But why is this NAT command required though the interfaces are in the same security level and implicitly the traffic should be allowed between the 2 interfaces.

Re: ASA interfaces

John Blakley — Wed, 03 Dec 2008 15:40:59 GMT

It shouldn't be required. Can you post your config?

Re: ASA interfaces

veena_kompal — Wed, 03 Dec 2008 15:51:43 GMT

please find the attached file..

Re: ASA interfaces

John Blakley — Wed, 03 Dec 2008 16:01:04 GMT

I'm a little confused as to what you're trying to do. You have both vlan interfaces with the same security level, but you have only one of your ethernet ports in vlan2. Are you trying to not NAT between the interfaces at all, and make this a transparent firewall? You also have a global statement, which if you want to turn natting off, you need to remove. Your default gateway is .254 and it's on the inside of your network. Is this a proxy server? I've only seen same security levels between dmz and inside, but I've never seen it from out to in, so I may not be the best to answer how you have this configured.

HTH,

John

Re: ASA interfaces

veena_kompal — Wed, 03 Dec 2008 16:10:50 GMT

Hi John,

I have two networks 10.x.x.x and 192.x.x.x .The firewal is used between these two networks and the 10.x.x.x should be able to access the 192.x.x.x. Apart from this there is no other specifications/requirments..but I will have to establish communication between 10.x.x.x to 192.x.x.x

So any suggestions are welcome..

thanks

Re: ASA interfaces

SOL10 — Wed, 03 Dec 2008 16:11:28 GMT

Veena

as far as IM aware ping is disabled on the interfaces by default, try this command

icmp permit network add interface inside

icmp permit network add interface dmz

Like John, Im confused as to you end goal, please care to elaborate

Regards

Sol

Re: ASA interfaces

John Blakley — Wed, 03 Dec 2008 16:16:32 GMT

Try this:

1. Change the security level for vlan 2 to 0

2. Remove the global (inside) 1 interface command

After doing this, see if you can ping from the 10.x.x.x network to a device on the 192.x.x.x network. (Of course, it has to be a device in one of your ACLs.) You could remove the ACL from the inside interface just to test.

HTH,

John

Re: ASA interfaces

veena_kompal — Wed, 03 Dec 2008 16:33:17 GMT

John,

If I change the security-level of vlan 2 to 0 then it would be considered as lower level though these 2 networks are trusted ones with in the organistaion.

There is no dmz required..so basically its just that the firewall placed between two different internal networks..

Re: ASA interfaces

John Blakley — Wed, 03 Dec 2008 16:49:58 GMT

You may need to enable nat to do what you want then. try this:

global (outside) 1 interface

nat (inside) 1 interface

static (inside,outside) 192.x.x.x 10.x.x.x netmask 255.255.255.0 <--whatever your mask is.

See if that helps, but don't change your security levels on any of the interfaces.

John

Re: ASA interfaces

veena_kompal — Thu, 04 Dec 2008 11:24:54 GMT

Hi John..

thanks for the response..

I did try to enter the above commands but I got error when I tried to configure the nat (inside)command..

Anyways..thanks for your help..