Showing results for 
Search instead for 
Did you mean: 

ASA 5508-X cant ping inside resources from other subnet

Hi Folks

I recently acquired an ASA 5508-X for a new build project we are doing in one of our not for profit rest houses.

I knew that there were some differences between the ASA 5505 which I'd used previously but as the 5506 also had the same issues (routed interfaces) I figured I might as well go for the more powerful 5508 (first time Iv'e had a decent budget in years!)

It's taken me a while to find my feet with this but I now have my main network up and running without problems, everything on the inside can reach the outside, and the few things on the outside that are allowed to come inside can come inside.

I have two issues however which I'm struggling to resolve

  1. I need to allow traffic from an external contractor who is setting up a WiFi network to come into our network and communicate with our server.
  2. I need to set up a separate data network for resident which will just pass through our firewall.

I'll take point 2 first.

I think that all I need to do is to add the following text and everything should work fine

interface GigabitEthernet1/8
nameif Residents
security-level 50
ip address
no shut

object network Residents

object network Residents
nat (Residents,outside) dynamic interface

I figured that if I used something similar I should be able to allow the WiFi network to communicate with the server.

interface GigabitEthernet1/3
nameif WiFi
security-level 100
ip address
no shut

object network WiFi

object-group network OTHERWiFiLANS
network-object object WiFi

object network WiFi
nat (WiFi,outside) dynamic interface

However that didn't work out quite as I'd hoped so I swapped the nat instruction to the following

object network WiFi
nat (WiFi,inside) dynamic interface

That didn't work either!

I tried adding in same-security-traffic permit intra-interface but I'm not sure if that has any effect unless you have sub interfaces.

So then I tried same-security-traffic permit inter-interface hoping that would solve my problem, sadly it does not and I'm running out of ideas and time!!!

Is there anyone out there who can point me in the right direction?



Philip D'Ath

Can you show us you server interface.

You probably need to add an access rule.  Do you have any existing access-rules?


Sorry for the delay in getting back but I had to work on other IT issues...

I managed to fix this with adding the following

forward-reference enable
same-security-traffic permit inter-interface