11-01-2018 05:50 AM - edited 02-21-2020 08:25 AM
Ok, this is my first venture to the cisco boards to ask a question.
I have an issue where I have 2 subinterfaces on an ASA with the same security level (100) and same-security-traffic permit inter-interface, same-security-traffic permit intra-interface both configured.
There is a NAT entry for the above:
nat (default_dhcp,inside) source static net-default_dhcp net-default_dhcp destination static net-itservers net-itservers
default_dhcp is the interface name with net-default_dhcp as the network object on that interface
inside is the interface with net-itservers.
however, net-itservers can ping and get a general response from net-default_dhcp but not the other way round although I cannot see anything in the config that would be uni-directional regarding these two network object or the interfaces they reside on.
I also have a secondary issue whereby the net-grp-fortiSSL (SSL clients from an external 3rd party firewall using the same tunnel as net-grp-ielmk and net-grp-uklon use) cannot gain access to either of the subnets above, I'm gathering that the two issues may be related.
Any suggestions?
Thanks in advance
ed3
11-02-2018 05:40 AM
Run the packet tracer tool in ASDM to see if the packet is getting permitted.it will check ACLs, NAT and routes.
11-03-2018 12:59 PM
Or from the CLI:
packet tracer input deafult_dhcp tcp IP-A 12345 IP-B 80 det
where IP-A is from object net-default_dhcp
& IP-B is from object net-itservers
You only need this command as they are 2 different interfaces:
same-security-traffic permit inter-interface
If you have any ACLs, they will override the security-levels.
You can check with sh run access-group cmd.
Regards,
Azam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide