Re: 5506-x communicate between interfaces

simoneal · ‎03-01-2019

Hi everybody, on my 5506-x I have 3 interfaces, outside, inside and inside2. With this configuration I cannot communicate beteen 2 interfaces meanwhile on outside works. I add also same−security−traffic permit intra−interface option and now I can ping between but any other service dont works. Can someone help me please? Thanks

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cor
es)
:
ASA Version 9.6(1)
!
hostname ASA-ECO
domain-name eco.local
enable password xx encrypted
passwd xx encrypted
names

!
interface GigabitEthernet1/1
description outside
nameif outside
security-level 0
ip address xx 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.0.3 255.255.255.0
!
interface GigabitEthernet1/3
nameif inside2
security-level 100
ip address 10.0.0.7 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name ecomet.local
same-security-traffic permit intra-interface
object network LanInterna
subnet 192.168.0.0 255.255.255.0
object network MailServer
host 192.168.0.4
object network WebServer
host 192.168.0.2
object network 192.168.0.249
host 192.168.0.249
object network As400
host 10.0.0.6
object network Xpserver
host 192.168.0.2
object network LanInterna2
subnet 10.0.0.0 255.255.255.0
access-list OUT_ACL extended permit tcp any object MailServer eq pptp
access-list OUT_ACL extended permit tcp any object MailServer eq imap4
access-list OUT_ACL extended permit tcp any object MailServer eq 993
access-list OUT_ACL extended permit icmp any any
access-list OUT_ACL extended permit gre any any
access-list OUT_ACL extended permit tcp any object MailServer eq 43389
access-list OUT_ACL extended permit tcp any object MailServer eq https
access-list OUT_ACL extended permit tcp any object MailServer eq pop3
access-list OUT_ACL extended permit tcp any object MailServer eq smtp
access-list OUT_ACL extended permit tcp any host 192.168.0.249 eq 3389
access-list OUT_ACL extended permit tcp any object WebServer eq www
access-list OUT_ACL extended permit tcp any object As400 eq telnet
access-list OUT_ACL extended permit tcp any object As400 eq 8470
access-list OUT_ACL extended permit tcp any object As400 eq 8476
access-list OUT_ACL extended permit tcp any object As400 eq 446
access-list OUT_ACL extended permit tcp any object As400 eq 447
access-list OUT_ACL extended permit tcp any object As400 eq 448
access-list OUT_ACL extended permit tcp any object As400 eq 449
access-list OUT_ACL extended permit tcp any object Xpserver eq 43389
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside2 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network LanInterna
nat (inside,outside) dynamic xx dns
object network MailServer
nat (inside,outside) static xx
object network WebServer
nat (inside,outside) static xx service tcp www www
object network 192.168.0.249
nat (inside,outside) static xx service tcp 3389 3389
object network As400
nat (inside,outside) static xx
object network Xpserver
nat (inside,outside) static xx service tcp 3389 3389
object network LanInterna2
nat (inside2,inside) static 10.0.0.0
access-group OUT_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 xx 1
route inside 10.0.0.0 255.255.255.0 192.168.0.94 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dynamic-access-policy-record DfltAccessPolicy
username admin password xxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xx
: end

balaji.bandi · ‎03-01-2019

If the configuration have same-security-traffic permit inter-interface configured
and have 2 interfaces with same security-level value and you have "access-list" configured on both interfaces
then the ACLs will handle the decision of what traffic is allowed and what is not.

On quick look i do not see in your case i do not see any ACL,

object network LanInterna
subnet 192.168.0.0 255.255.255.0

object network LanInterna2
subnet 10.0.0.0 255.255.255.0

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help