07-09-2009 10:56 AM - edited 03-11-2019 08:53 AM
I have an ASA 5505 with two internal VLANs - let's say 192.168.0.0/24 & 192.168.1.0/2 and an outside interface which is the internet gateway for both of the internal subnets. I can get on the net from each internal net but I can't figure out how to make them talk to each other. They're both configured with security level 100 and I want to enable all IP traffic between them. Any idea how to make this work?
Thank you!
J.
Solved! Go to Solution.
07-09-2009 02:33 PM
Hi J,
Because you have the 'nat-control' command enabled and you have dynamic PAT on your inside and inside1 interfaces, there also needs to be NAT rule for the traffic between the inside and inside1 interfaces. Assuming you don't want to NAT the traffic between these two interfaces, I would recommend trying something like this:
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list inside1_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
nat (inside1) 0 access-list inside1_nat0_outbound
This will setup NAT 0 and allow traffic to flow in both directions. If you want to do dynamic PAT instead, just adjust your config accordingly--the point is you need to have NAT rules that match the traffic between these interfaces because of the 'nat-control' command and your existing dynamic PAT configuration.
From the documentation:
"Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface with NAT control enabled, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule. "
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/no_72.html#wp1653062
Hope that helps.
-Mike
07-09-2009 11:02 AM
J,
There are typically 3 things you need to consider when configuring the firewall to allow traffic between 2 interfaces:
1. Permission (i.e. access-list and access-group)
2. Translation (i.e. static or nat/global)
3. Routing (i.e. route)
In addition, when your interfaces have the same security level (100 in your case), you need to include the 'same security-traffic permit inter-interface' command to allow the traffic to pass.
If you post your sanitized config, we can probably point you to the command(s) that you are missing to get this to work.
Hope that helps.
-Mike
07-09-2009 11:27 AM
07-09-2009 02:33 PM
Hi J,
Because you have the 'nat-control' command enabled and you have dynamic PAT on your inside and inside1 interfaces, there also needs to be NAT rule for the traffic between the inside and inside1 interfaces. Assuming you don't want to NAT the traffic between these two interfaces, I would recommend trying something like this:
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list inside1_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
nat (inside1) 0 access-list inside1_nat0_outbound
This will setup NAT 0 and allow traffic to flow in both directions. If you want to do dynamic PAT instead, just adjust your config accordingly--the point is you need to have NAT rules that match the traffic between these interfaces because of the 'nat-control' command and your existing dynamic PAT configuration.
From the documentation:
"Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface with NAT control enabled, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule. "
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/no_72.html#wp1653062
Hope that helps.
-Mike
07-10-2009 07:43 AM
Worked like a charm! Thanks Mike!
J.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide