Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
9
Helpful
3
Replies

ASA 5520 & same security level

Andrei Scurupii
Level 1
Level 1

‎10-16-2006 06:11 AM - edited ‎02-21-2020 01:14 AM

Hello,

Have ASA 5520.

Giga0/0 nameif outside, sec 0 - to internet

Giga0/1 nameif inside, sec 100 - to lan

Giga 0/2 namif wan, sec 100 - to branch offces router.

I've aplied command same-security-traffic permit inter-interface, but no result. Can't access from one to another interface with the same security level.

At asdm log apears next message: No route from lan_ip_addr to wan_ip_addr.

Could you help me to resolve this problem?

0 Helpful
3 Replies 3

a.kiprawih
Level 7
Level 7

‎10-16-2006 07:05 AM

After you add "same-security-traffic permit inter-interface", the next thing to do is to permit inside and wan to talk to each other. Example:

inside - 10.1.1.0/24

wan - 10.1.2.0/24

static (inside,wan) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

static (wan,inside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247c.html#wp1009571

HTH

AK

Andrei Scurupii
Level 1
Level 1
In response to a.kiprawih

‎10-16-2006 08:38 AM

Hi, thanks.. it works.. one more question

beside wan interface i have router with one int to ASA (10.1.2.x) and another to office (11.1.1.x).

From this router can ping lacal lan (10.1.1.0).

But then i ping with sourse int. 11.1.1.x - I cant ping lan. And at ASA logs apears: no route found from 11.1.1.x to 10.1.1.x

0 Helpful

a.kiprawih
Level 7
Level 7
In response to Andrei Scurupii

‎10-16-2006 09:13 AM

In other words (correct me if I am wrong), the router has 2 FastE interfaces, one end connected to ASA and carry 10.1.2.x ip, while another FastE interface assigned with 11.1.1.x ip and connected to another 11.1.1.0 segment.

You can't ping it because your ASA does not recognised or can reach (route) 11.1.1.x.

On ASA:

a. Add static route to the router:

route wan 11.1.1.0 255.255.255.0 10.1.1.x

b. Permit icmp to wan interface from 11.1.1.x

icmp permit host 11.1.1.x any wan -or-

icmp permit 11.1.1.0 255.255.255.0 any wan

Optional:

On your router, if all access need to point back to ASA, then create default route to ASA (or add specific route):

ip route 0.0.0.0 0.0.0.0 10.1.2.y --> ASA wan interface IP

HTH. Pls rate all helpful posts.

AK

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card