Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3593
Views
0
Helpful
3
Replies

Cisco ASA 5505 - Allowing traffic between two internal networks

henrikgei
Level 1
Level 1

‎08-31-2011 07:27 AM - edited ‎03-11-2019 02:18 PM

Hi all,

I'm usually not working with this product, but this is what I'm trying to do.

I have 2 internal networks setup on our Cisco ASA 5505 firewall. (not done by me, I'm a new to this product)

I'm trying to access a server on one network from a PC located on the other internal network.

I'm wondering if someone can tell me how to do this? (preferable through the web gui)

Or how I debug this?

This is the current setup.

==============

Interfaces:

Name    Switch port       Security Level       IP address       Subnet mask         VLAN

Trust6    Ethernet0/6      100                       10.0.6.1           255.255.255.0        vlan 6 (this is where the server is)

Trust4    Ethernet0/4      100                       10.0.4.1           255.255.255.0        vlan 4 (this is where my connecting PC is)

(Checked the checkbox: "Enable traffic between two or more interfaces which are configured with same security level")

Security Policy:

Trust4 (incoming rules):

Source    Destination    Service    Action

any            any        ip        Permit

Trust6 (incoming rules):

Source    Destination    Service    Action

any            any        ip        Permit

When I try "Packet Tracer" from interface "Trust4" it fails on the NAT phase.

(Source ip: 10.0.4.99, Destination ip: 10.0.6.99)

When I check the NAT rule, it says:

Type            Source     Interface    Address

Dynamic         any          outside      outside

===============

Hope anyone can point me in the right direction.

Regards,

Henrik

Labels:
0 Helpful
3 Replies 3

Maykol Rojas
Cisco Employee
Cisco Employee

‎08-31-2011 10:55 AM

Hello,

Try this

static (trust4,trust6) 10.0.4.0 10.0.4.0

static (trust6,trust4) 10.0.6.0 10.0.6.0

same-security-traffic permit inter-interface.

Let me know how it goes

Mike  

Mike
0 Helpful

henrikgei
Level 1
Level 1
In response to Maykol Rojas

‎09-01-2011 07:07 AM

Hi Maykol,

Thanks for your reply.

I took a look at the running config and saw that "same-security-traffic permit inter-interface" is already enabled.

But I would like to try your other suggestions. But before I do that. How do I revert this command, if I mess something up:

static (trust4,trust6) 10.0.4.0 10.0.4.0

And could you please explain what these two commands will do exactly?

Thanks for you for helping a novice

Regards,

Henrik

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to henrikgei

‎09-01-2011 09:43 AM

Hello,

That what is going to do is to create a translation on the ASA so that people from Trust6 can see people from trust4 with the same IP.

If these interfaces (trust4, trust6) have access to another interface such as internet, mostlikely you are going to have an entry like this

nat (trust4) 1 0 0

That would nat everything going to some other place, if you dont have a global to go to Trust 6, your connection is going to fail because of NAT, and even if you add a global, it would fail because it is a dynamic NAT.

Basically, I just want to avoid doing translations and both 10.0.4 and 10.0.6 can communicate with each other, without doing nat translations.

Mike

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card