https://community.cisco.com/t5/network-security/sub-interface-nat-problem/m-p/3396821#M955200 <P>Hi all,</P> <P>On Asa I have configured 2 internal sub-interfaces GigabitEthernet0/3.50 and&nbsp;&nbsp;<SPAN>GigabitEthernet0/3.70.</SPAN></P> <P><SPAN>Config on both interfaces :</SPAN></P> <P><SPAN>GigabitEthernet0/3.50 (vlan50-192.168.50.1/24) security-level is 80. </SPAN></P> <P><SPAN>GigabitEthernet0/3.50 (vlan70-192.168.70.1/24) security-level is 90</SPAN></P> <P><SPAN>Both subnets which belongs to these interfaces are translated to outside interface.Problem is i want to configure lower security-level interface to have ip connectivity to higher security-level sub interface subnet.When i configure access-list and twice nat for&nbsp;GigabitEthernet0/3.50&nbsp; , i loose connectivity to outside translation. Need yours help.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:51:48 GMT Zamilnewbie 2020-02-21T15:51:48Z https://community.cisco.com/t5/network-security/sub-interface-nat-problem/m-p/3396821#M955200 <P>Hi all,</P> <P>On Asa I have configured 2 internal sub-interfaces GigabitEthernet0/3.50 and&nbsp;&nbsp;<SPAN>GigabitEthernet0/3.70.</SPAN></P> <P><SPAN>Config on both interfaces :</SPAN></P> <P><SPAN>GigabitEthernet0/3.50 (vlan50-192.168.50.1/24) security-level is 80. </SPAN></P> <P><SPAN>GigabitEthernet0/3.50 (vlan70-192.168.70.1/24) security-level is 90</SPAN></P> <P><SPAN>Both subnets which belongs to these interfaces are translated to outside interface.Problem is i want to configure lower security-level interface to have ip connectivity to higher security-level sub interface subnet.When i configure access-list and twice nat for&nbsp;GigabitEthernet0/3.50&nbsp; , i loose connectivity to outside translation. Need yours help.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:51:48 GMT https://community.cisco.com/t5/network-security/sub-interface-nat-problem/m-p/3396821#M955200 Zamilnewbie 2020-02-21T15:51:48Z https://community.cisco.com/t5/network-security/sub-interface-nat-problem/m-p/3396828#M955201 <P>I`m new to this firewall.Any help appreciated.</P> Sat, 09 Jun 2018 13:29:59 GMT https://community.cisco.com/t5/network-security/sub-interface-nat-problem/m-p/3396828#M955201 Zamilnewbie 2018-06-09T13:29:59Z https://community.cisco.com/t5/network-security/sub-interface-nat-problem/m-p/3396850#M955202 <P>???????????</P> Sat, 09 Jun 2018 14:58:52 GMT https://community.cisco.com/t5/network-security/sub-interface-nat-problem/m-p/3396850#M955202 Zamilnewbie 2018-06-09T14:58:52Z https://community.cisco.com/t5/network-security/sub-interface-nat-problem/m-p/3397006#M955203 <P>First off, be patient. CSC is a free user-supported forum. If you require answers within an hour then use paid TAC support.</P> <P>&nbsp;</P> <P>Your:</P> <PRE class="bp-text bp-text-plain hljs"><CODE class="txt">access-list 50-to-70 extended permit ip object network-OBJ-192.168.50.0 object network-OBJ-192.168.70.0 </CODE></PRE> <P>&nbsp;</P> <P>...will prevent anything not explicitly allowed in that statement. This is because as soon as you apply an ACL to an onterface there is an implicit "deny ip any any" statement at the end.</P> <P>&nbsp;</P> <P>You should add a second line preventing traffic from 192.168.50.0 to inside networks and then a third with a permit for 192.168.50.0 to any to include internet-bound traffic.</P> Sun, 10 Jun 2018 14:08:50 GMT https://community.cisco.com/t5/network-security/sub-interface-nat-problem/m-p/3397006#M955203 Marvin Rhoads 2018-06-10T14:08:50Z https://community.cisco.com/t5/network-security/sub-interface-nat-problem/m-p/3397020#M955204 Thanks for your attention and answer.Appreciated. Sun, 10 Jun 2018 14:01:56 GMT https://community.cisco.com/t5/network-security/sub-interface-nat-problem/m-p/3397020#M955204 Zamilnewbie 2018-06-10T14:01:56Z