Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
5
Helpful
1
Replies

ASA- between same security zones, config for successful traffic is?

Go to solution
jmaxwellUSAF
VIP
VIP

‎02-27-2023 11:38 AM - edited ‎02-27-2023 11:43 AM

A thread on these boards: A reporter states that both ASA interfaces have same security level of 100. The solution was...

"You are missing NAT statements between inside and LANDHP. Please configure identity NAT between the interfaces:

static (inside,LANDHCP) 10.10.220.0 10.10.220.0 netmask 255.255.255.0
static (LANDHCP,inside) 10.10.230.0 10.10.230.0 netmask 255.255.255.0

This should allow communication between the inside and LANDHCP interfaces."

Questions:

1. is this also needed? #same-security-traffic permit inter-interface

2. Is the code (& syntax) below correct for the above intent?...

object network MY-OBJECT1-10.10.220.0
network 10.10.220.0 255.255.255.0

object network MY-OBJECT2-10.10.230.0
network 10.10.230.0 255.255.255.0

nat (LANDHCP,inside) source static MY-OBJECT1-10.10.220.0 MY-OBJECT1-10.10.220.0 destination static MY-OBJECT2-10.10.230.0 MY-OBJECT2-10.10.230.0

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-27-2023 11:56 AM

@jmaxwellUSAF you would need a Twice NAT rule if there is another Auto NAT rules that may unintentially translate the traffic, not necessarily because of the security level of the interface.

You need same-security-traffic permit inter-interface for interfaces with the same security level to communicate, however if you have an ACL permitting the traffic, then that command is not required.

10.10.220.0 is the LANDHCP network and 10.10.230.0 is the inside network? If so then the rules looks correct, your first example contridicates that. You may wish to double check.



 

View solution in original post

1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎02-27-2023 11:56 AM

@jmaxwellUSAF you would need a Twice NAT rule if there is another Auto NAT rules that may unintentially translate the traffic, not necessarily because of the security level of the interface.

You need same-security-traffic permit inter-interface for interfaces with the same security level to communicate, however if you have an ACL permitting the traffic, then that command is not required.

10.10.220.0 is the LANDHCP network and 10.10.230.0 is the inside network? If so then the rules looks correct, your first example contridicates that. You may wish to double check.



 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card