06-11-2008 03:24 AM - edited 03-11-2019 05:57 AM
Hi everyone,
I've got an ASA5510 (10.0.0.1) which is the gateway for the internal network (10.0.0.0/24). In addition, I've got an additional local network (192.168.0.0/24) which I need to route my internal clients (10.0.0.0/24) to. The local gateway for the 192.168.0.0/24 network is 10.0.0.10, but my ASA device keeps dropping all connections to the 192.168.0.0 network.
I've configured the ASA with the following options:
route inside 192.168.0.0 255.255.255.0 10.0.0.10
access-list inside-access-in extended permit ip 10.0.0.0 255.255.255.0 any
access-list inside-access-in extended permit icmp 10.0.0.0 255.255.255.0 any
access-group inside-access-in in interface inside
I've also got my standard NAT commands, which I don't think are necessary to post.
My question is how can I force the ASA appliance to forward packets to the 192.168.0.0 network?
If any nat commands are required, please include them in your reply.
Many thanks.
06-11-2008 11:37 AM
as others have stated, the OP needs to upgrade to 7.2(x) or later.
06-11-2008 02:13 PM
The response to this thread has been great and I really appreciate the effort and time spent by everyone.
From what I conclude Jorge, according to your test, the scenario should work 'as is' without the need of additional commands.
However, Farrukh supports that the 'intra-interface' command for my situation is required.
Unfortunately, I haven't got access to the equipment right now so I can try it, but I do remember the scenario didn't work using the configuration I posted. If I remember correctly, the syslog messages mentioned my packets heading from the internal lan 10.0.0.0 towards the 192.168.0.0 network, were denied by the inside-access-in list:
access-list inside-access-in extended permit ip 10.0.0.0 255.255.255.0 any
access-list inside-access-in extended permit icmp 10.0.0.0 255.255.255.0 any
access-group inside-access-in in interface inside
All I was doing is trying to access a network share on a computer in the 192.168.0.0 network.
Closing, quoting Farrukh's recommendation:
'please don't confuse the "same-security-traffic intra-interface" with the 'inter-interface' command. In this scenario 'intra-interface' will be required IF the firewall is the default gateway of end hosts' , Yes, all internal 10.0.0.0 hosts do in fact have the ASA (10.0.0.1) as their gateway.
I sometimes fail to see why such 'simple' routing requirements can sometimes become a big headache :)
Cheers guys,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide