Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
2
Replies

ASA 5508-X cant ping inside resources from other subnet

de-hoeksteen
Level 1
Level 1

‎01-18-2016 11:38 AM

Hi Folks

I recently acquired an ASA 5508-X for a new build project we are doing in one of our not for profit rest houses.

I knew that there were some differences between the ASA 5505 which I'd used previously but as the 5506 also had the same issues (routed interfaces) I figured I might as well go for the more powerful 5508 (first time Iv'e had a decent budget in years!)

It's taken me a while to find my feet with this but I now have my main network up and running without problems, everything on the inside can reach the outside, and the few things on the outside that are allowed to come inside can come inside.

I have two issues however which I'm struggling to resolve

  1. I need to allow traffic from an external contractor who is setting up a WiFi network to come into our network and communicate with our server.
  2. I need to set up a separate data network for resident which will just pass through our firewall.

I'll take point 2 first.

I think that all I need to do is to add the following text and everything should work fine

interface GigabitEthernet1/8
nameif Residents
security-level 50
ip address 192.168.111.254 255.255.255.0
no shut

object network Residents
subnet 192.168.111.0 255.255.255.0

object network Residents
nat (Residents,outside) dynamic interface

I figured that if I used something similar I should be able to allow the WiFi network to communicate with the server.

interface GigabitEthernet1/3
nameif WiFi
security-level 100
ip address 192.168.222.254 255.255.255.0
no shut

object network WiFi
subnet 192.168.222.0 255.255.255.0

object-group network OTHERWiFiLANS
network-object object WiFi

object network WiFi
nat (WiFi,outside) dynamic interface

However that didn't work out quite as I'd hoped so I swapped the nat instruction to the following

object network WiFi
nat (WiFi,inside) dynamic interface

That didn't work either!

I tried adding in same-security-traffic permit intra-interface but I'm not sure if that has any effect unless you have sub interfaces.

So then I tried same-security-traffic permit inter-interface hoping that would solve my problem, sadly it does not and I'm running out of ideas and time!!!

Is there anyone out there who can point me in the right direction?

Cheers

Mick

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-19-2016 01:29 AM

Can you show us you server interface.

You probably need to add an access rule.  Do you have any existing access-rules?

0 Helpful

de-hoeksteen
Level 1
Level 1
In response to Philip D'Ath

‎01-21-2016 07:05 AM

Hi 

Sorry for the delay in getting back but I had to work on other IT issues...

I managed to fix this with adding the following


forward-reference enable
same-security-traffic permit inter-interface

Cheers

Mick

0 Helpful
Customers Also Viewed These Support Documents