10-19-2016 12:21 PM - edited 03-12-2019 01:25 AM
Hi Guys,
I need a little assistance here. I am configuring a ASA-5512-x. I need to make communication between interfaces of same security level. I tried "same-security-traffic permit inter-interface" and I tried doing static nat, dynamic nat, pat,,but nothing seems to be working. I have multiple interfaces which I want to communicate.
1) First is 192.168.11.0/24
2) second is 10.50.50.0/24
3) 3rd is 10.246.38.0/24
Can anyone guide me in right direction? I am not using any ACL as I read on some forums if you are using same security feature then no need for acl or acl overrides it. I am doing config via asdm .
10-19-2016 02:55 PM
ASA software has a built-in tool called packet-tracer that is excellent at showing you the path a flow takes through the appliance and the outcome of each step.
packet tracer input <nameif> tcp <source address> <source port> <destination address> <destination port>
Be sure to use a downstream host address for the source and destination - not the ASA interface addresses.
10-19-2016 03:45 PM
access control lists can be very picky.
There is an implicit deny at the end that does not exist.
If you do no explicitly permit it it will be implicitly denied.
If you are hooking up hosts to the firewall interfaces you want to make sure the default gateway is the same as the interface IP on the firewall vlan you are connecting.
Also use packet-tracer to see where the hangup is when the traffic is traversing the interface.
If you are unfamiliar with the commands just use ? after the beginning of the command to see the different paths you can take.
show asp drop can help.
you might need to clear it first and try to initiate traffic a couple times.
clear asp drop
10-19-2016 09:59 PM
Following is the output:
10-19-2016 11:29 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide