topic Re: Allow traffic to pass between 2 same security level interfac in Network Security

Allow traffic to pass between 2 same security level interfaces

sbohannan — Mon, 11 Mar 2019 12:31:01 GMT

i have configured my ASA 5510 with 2 same level security interfaces, i have "Same-security-Traffic permit inter-interface" enabled on the asa, but no traffic either interfaces is passing to the other interface. I know this is an Access list problem but i can not find any commands to allow all traffic to pass freely between the 2 interfaces.

Any help is greatly needed.

Thank you

Shane

Re: Allow traffic to pass between 2 same security level interfac

acomiskey — Mon, 14 Apr 2008 16:26:14 GMT

Access lists are not required when using inter-interface.

Are you getting a "no translation group" error message?

Re: Allow traffic to pass between 2 same security level interfac

sbohannan — Mon, 14 Apr 2008 17:28:01 GMT

Yes i am getting an no translation group error.

The exact error is -

No translation group found for icmp and for TCP.

I have worked with one of the TAC engineers and the command that he gives me to correct this error grinds the network to a stand still. (Static (interface1,interface2) 172.16.0.0 172.16.0.0 netmask 255.255.0.0) if i enter this command all traffic slowly stops on interface 1.

Shane

Re: Allow traffic to pass between 2 same security level interfac

acomiskey — Mon, 14 Apr 2008 17:34:35 GMT

That should be correct if...

interface1 is 172.16.x.x.

Could you post a config?

Re: Allow traffic to pass between 2 same security level interfac

sbohannan — Mon, 14 Apr 2008 17:47:27 GMT

I have attached copy of my config. i do not understand why it stops network traffic when i put that command in. I have watched the network stop. i did try the command friday afternoon the network seem to recover after about 10 Min but the funny part of it all was i could not connect to some of the 172.16.0.0/16 servers and my partner could but he could not connect to the internet and i could.

Maybe i have something amiss in the confige that i have not seen.

Shane

Re: Allow traffic to pass between 2 same security level interfac

acomiskey — Mon, 14 Apr 2008 17:51:51 GMT

You've already got

access-list inside_Nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.199.1.0 255.255.255.0

but what you are missing is...

nat (inside) 0 access-list inside_Nat0_outbound

That should work the same as that static command mentioned before.

The only other thing I see which may be an issue is whether or not the MCI interface will be able to route back to 172.16.0.0 via 192.199.1.254. You may have to do something other than nat exemption if that is the case. Something like...

no global (MCI) 100 interface

global (MCI) 101 interface

Re: Allow traffic to pass between 2 same security level interfac

sbohannan — Mon, 14 Apr 2008 18:04:24 GMT

Ok i have entered that command that you just told me and so far i have not had any problems.

Looking at the access-list that you told me about the next line as the same command but the interfaces are reversed. do i need to have this command entered as well?

"nat (mci) 0 access-list mci_nat0_outbound

Shane

Re: Allow traffic to pass between 2 same security level interfac

acomiskey — Mon, 14 Apr 2008 18:10:28 GMT

I believe when you use "nat 0" with an access-list it is bidirectional. So adding the second command would technically be a duplication.

Re: Allow traffic to pass between 2 same security level interfac

sbohannan — Mon, 14 Apr 2008 18:14:40 GMT

from a computer on the 172.16.0.0/16 subnet i get the same error as i was before i put the command in that started traffic from the 192.199.1.0/24 subnet.

Shane

Re: Allow traffic to pass between 2 same security level interfac

acomiskey — Mon, 14 Apr 2008 18:17:06 GMT

Let me see if I've got this right...

192.199.1.0 to 172.16.0.0 is working?

172.16.0.0 to 192.199.1.0 is not working?

Re: Allow traffic to pass between 2 same security level interfac

sbohannan — Mon, 14 Apr 2008 18:19:50 GMT

i did enter "nat (mci) 0 access-list mci_nat0_outbound" because they are running on different interfaces. it seems that all traffic is running as it should now.

Thank you so very much for your help.

Shane

Re: Allow traffic to pass between 2 same security level interfac

acomiskey — Mon, 14 Apr 2008 18:22:12 GMT

Good deal. I guess the nat 0 is bidirectional only when using an access-list AND security levels are different. Thanks for teaching me something. Thanks for the rating.