Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
0
Helpful
4
Replies

ASA 5512-x communication between Interfaces

Amjad khan
Level 1
Level 1

‎10-19-2016 12:21 PM - edited ‎03-12-2019 01:25 AM

Hi Guys,

I need a little assistance here. I am configuring a ASA-5512-x. I need to make communication between interfaces of same security level. I tried "same-security-traffic permit inter-interface" and I tried doing static nat, dynamic nat, pat,,but nothing seems to be working. I have multiple interfaces which I want to communicate.

1) First is 192.168.11.0/24

2) second is 10.50.50.0/24

3) 3rd is 10.246.38.0/24

Can anyone guide me in right direction? I am not using any ACL as I read on some forums if you are using same security feature then no need for acl or acl overrides it. I am doing config via asdm .

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-19-2016 02:55 PM

ASA software has a built-in tool called packet-tracer that is excellent at showing you the path a flow takes through the appliance and the outcome of each step.

packet tracer input <nameif> tcp <source address> <source port> <destination address> <destination port>

Be sure to use a downstream host address for the source and destination - not the ASA interface addresses.

0 Helpful

vesiclife1
Level 1
Level 1

‎10-19-2016 03:45 PM

access control lists can be very picky. 

There is an implicit deny at the end that does not exist.

If you do no explicitly permit it it will be implicitly denied.  

If you are hooking up hosts to the firewall interfaces you want to make sure the default gateway is the same as the interface IP on the firewall vlan you are connecting. 

Also use packet-tracer to see where the hangup is when the traffic is traversing the interface. 

If you are unfamiliar with the commands just use ? after the beginning of the command to see the different paths you can take. 

show asp drop can help. 

you might need to clear it first and try to initiate traffic a couple times. 

clear asp drop

0 Helpful

Amjad khan
Level 1
Level 1

‎10-19-2016 09:59 PM

Following is the output:

ciscoasa# show asp drop
Frame drop:
  No route to host (no-route)                                                 12
  Flow is denied by configured rule (acl-drop)                                 6
  Slowpath security checks failed (sp-security-failed)                        45
Last clearing: 16:53:46 UTC Oct 19 2016 by enable_15
Flow drop:
  NAT reverse path failed (nat-rpf-failed)                                    12
Last clearing: 16:53:46 UTC Oct 19 2016 by enable_15
0 Helpful

vesiclife1
Level 1
Level 1
In response to Amjad khan

‎10-19-2016 11:29 PM

  1. What kind of license do you have on the firewall? You can pull up the information by using show version command. The issue I see right off the bat is your only allowed so many vlans (2 that are unrestricted and one that is restricted)[usually inside, outside and dmz] with a base license and you have at least three different IP subnets/vlans.  It would make more sense for you to trunk the different vlans to a cisco router (router on a stick) to get the different vlans communicating. You can also route the vlans together in a level 3 switch. Routing multiple subnets through a firewall is much harder due to the nature of a firewall device which is to block traffic and the  cost of the licensing required.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card