Hi Andrew,

I configure another interface on the ASA, the new interface must have a security level lower than the inside.?

how can I enable the new interface to communicate with the inside.?

thanks..!!

Ivanquzman,

I am in the same situation. I am in need of getting a security levl 100 to comunicate with a 75 on diff interfaces.

Mine keeps erroring on the NAT rule stating that there isnt' any pool.

Can some one shed some light on the suggested approach for configuration so I can verify that the I have the correct configuration?

1.) I know the NAT rule needs to be on the higer seccurity.

2.) I know you need a Permit ACL on the lower interface to permit access inbound.

It can have the same security level if you want - depending on it's purpose, I generally give any other interfaces a lower security level, say 50.

What I then do - is make a NAT exempt from the inside to the new interface (this is bi-directional)

Once the NAT is working ok, I then write an ACL for any traffic that originates from the new interface to the inside.

HTH>

Andrew,

Do you put that exempt rule on the Higer security interface or make a seperate one for each lower interface?

generally what I do is:-

1) Create an inside to new interface ip access-list.

2) attache the acl to the nat (inside) 0 config

3) Create an new interface to inside ip access-list

4) attach the acl to the nat <> 0

Then let the traffic flow - in both directions, when you have no hits on the acl from the new interface to the inside - you know your inside NAT exampt rule is bi-directional (sometimes it does not work straight away)

Sometimes I leave them in there - especially, when I need to make the new interface part of a VPN - then the exmpt acl just gets expanded.

HTH>

the configuration would be as follows is correct or I'm missing some parameter?

interface Ethernet0/1

nameif inside1

security-level 100

ip address 192.168.1.254 255.255.255.0

interface Ethernet0/2

nameif inside2

security-level 75

ip address 172.16.13.1 255.255.255.0

access-list ACL_IN2 extended permit ip 172.16.13 255.255.255.0 192.168.1.0 255.255.255.0

static (inside,inside2) 172.16.13.0 172.16.13.0 netmask 255.255.0.0

or

static (inside,inside2) 192.168.1.0 192.168.1.0 netmask 255.255.0.0

access-group ACL_IN in interface inside

access-group ACL_IN2 in interface inside2

that would be one way of doing it, I would

access-list no-nat1 permit ip 172.16.13.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside1) 0 access-list no-nat1

access-list no-nat2 permit ip 192.168.1.0 255.255.255.0 172.16.13.0 255.255.255.0

nat (inside2) 0 access-list no-nat2

The above allows you to expand the nat-exemption the more interfaces you have.

JMTPW

Yup, got it working after your previous post Andrew and the ACL is still functional as I need it to be. Its looking like its a cross between what your both talking about.

Awesome, thanks gang.

np - glad to help.