https://community.cisco.com/t5/network-security/not-able-to-communicate-from-inside-to-inside-interface/m-p/977160#M919059 <P>Please look at the attached network diagram for your information. I added a command:</P><P>"same-security-traffic permit intra-interface" on the Internet FW, and I also force the traffic from internal firewall to 172.16.24.22 must pass through Internet FW by adding a route in the internal FW:</P><P>"route DMZ 172.16.24.22 255.255.255.255 172.16.24.3"</P><P>but this time I got the error message like this:"</P><P>%ASA-3-305006: portmap translation creation failed for tcp src inside:172.16.3.50/3925 dst inside:172.16.24.22/443"</P><P>and I did configured NAT and PAT on Internet FW, static NAt is used to translate the 172.16.24.22 into public IP and PAT is used to allow 172.16.3.0 to to able to access Internet:</P><P>global (outside) 1 2.x.x.41 netmask 255.255.255.224</P><P>global (outside) 2 2.x.x.42 netmask 255.255.255.224</P><P>nat (inside) 1 172.16.3.0 255.255.255.0</P><P>nat (inside) 2 172.16.2.0 255.255.255.0</P><P>static (inside,outside) 2.x.x.40 172.16.24.22 netmask 255.255.255.255</P><P>someone has the solution for this?</P><P></P><P> </P><P></P> Mon, 11 Mar 2019 12:54:20 GMT shibindong 2019-03-11T12:54:20Z https://community.cisco.com/t5/network-security/not-able-to-communicate-from-inside-to-inside-interface/m-p/977160#M919059 <P>Please look at the attached network diagram for your information. I added a command:</P><P>"same-security-traffic permit intra-interface" on the Internet FW, and I also force the traffic from internal firewall to 172.16.24.22 must pass through Internet FW by adding a route in the internal FW:</P><P>"route DMZ 172.16.24.22 255.255.255.255 172.16.24.3"</P><P>but this time I got the error message like this:"</P><P>%ASA-3-305006: portmap translation creation failed for tcp src inside:172.16.3.50/3925 dst inside:172.16.24.22/443"</P><P>and I did configured NAT and PAT on Internet FW, static NAt is used to translate the 172.16.24.22 into public IP and PAT is used to allow 172.16.3.0 to to able to access Internet:</P><P>global (outside) 1 2.x.x.41 netmask 255.255.255.224</P><P>global (outside) 2 2.x.x.42 netmask 255.255.255.224</P><P>nat (inside) 1 172.16.3.0 255.255.255.0</P><P>nat (inside) 2 172.16.2.0 255.255.255.0</P><P>static (inside,outside) 2.x.x.40 172.16.24.22 netmask 255.255.255.255</P><P>someone has the solution for this?</P><P></P><P> </P><P></P> Mon, 11 Mar 2019 12:54:20 GMT https://community.cisco.com/t5/network-security/not-able-to-communicate-from-inside-to-inside-interface/m-p/977160#M919059 shibindong 2019-03-11T12:54:20Z https://community.cisco.com/t5/network-security/not-able-to-communicate-from-inside-to-inside-interface/m-p/977161#M919060 <HTML><HEAD></HEAD><BODY><P>Put a global statement like this to allow inside users to access the DMZ server.</P><P></P><P>global (dmz) 1 172.16.24.200 </P><P></P><P>This is just an example. Or use nat-exemption to bypass NAT for this traffic flow (From inside segement to DMZ).</P><P></P><P>Once you enable dynamic NAT/PAT the whole 'no nat-control' thing blows away (for that zone).</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 03 Jun 2008 08:24:18 GMT https://community.cisco.com/t5/network-security/not-able-to-communicate-from-inside-to-inside-interface/m-p/977161#M919060 Farrukh Haroon 2008-06-03T08:24:18Z https://community.cisco.com/t5/network-security/not-able-to-communicate-from-inside-to-inside-interface/m-p/977162#M919063 <HTML><HEAD></HEAD><BODY><P>Put a global statement like this to allow inside users to access the DMZ server.</P><P></P><P>global (dmz) 1 172.16.24.200 </P><P></P><P>This is just an example. Or use nat-exemption to bypass NAT for this traffic flow (From inside segement to DMZ).</P><P></P><P>Once you enable dynamic NAT/PAT the whole 'no nat-control' thing blows away (for that zone).</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 03 Jun 2008 08:44:58 GMT https://community.cisco.com/t5/network-security/not-able-to-communicate-from-inside-to-inside-interface/m-p/977162#M919063 Farrukh Haroon 2008-06-03T08:44:58Z https://community.cisco.com/t5/network-security/not-able-to-communicate-from-inside-to-inside-interface/m-p/977163#M919073 <HTML><HEAD></HEAD><BODY><P>Actually I think I misunderstood your network, it should be:</P><P></P><P>global (inside) 1 172.16.24.200 </P><P></P><P></P><P>Assuming you already have the same-security-traffic permit intra-interface, as stated in your email.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 03 Jun 2008 09:28:32 GMT https://community.cisco.com/t5/network-security/not-able-to-communicate-from-inside-to-inside-interface/m-p/977163#M919073 Farrukh Haroon 2008-06-03T09:28:32Z