ASA 5505 subnets issue

yogesh bhalerao · ‎08-22-2012

Hi Guyzz,

I am configuring ASA 5505 i have configured 4 ports ,3 INTERNAL PORTS and 1 OUTSIDE PORT

INTERNAL

1)192.168.17.X

2)193.168.17.X

3)192.168.10.X

OUTSIDE

1)10.112.15.X

THE INTERNAL INTERFACES ARE ALL WITH SECURITY LEVEL 100 AND OUTSIDE 0,I HAVE ENABLED OPTION THAT OPTION WHERE IT SAYS THAT TRAFFIC SHOULD BE ALLOWED BETWEEN INTERFACES WITH SAME SAME SECURITY LEVEL

BUT I AM NOT ABLE TO PING 193.168.17.2 ---- 192.168.17.2 NOT ABLE TO PING

BUT IF I DO NAT EXEMPT DEN THE PING HAPPENS

require you guyzz to help m

attaching config also but without nat exempt

Ramraj Sivagnanam Sivajanam · ‎08-22-2012

Hi Bro
What you're experiencing is expected. This is the Cisco ASA's behaviour.

Basically, when inside, INSIDE2 and INSIDE-3 wants to communicate with each other, you’ll need to enable “NAT Exemption” i.e. nat (nameif) 0 . I know you have already enabled the same-security permit inter-interface command, but this command becomes useless once you’ve enable dynamic nat on one of those interfaces. It’s as if the same-security traffic command wasn't even entered in the first place. You could refer to the URLs below for further details on this;

https://supportforums.cisco.com/thread/223898
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530

P/S: If you think this comment is useful, please do rate it nicely :-) and click on the "Correct Answer" button

Warm regards,
Ramraj Sivagnanam Sivajanam