Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3955
Views
0
Helpful
4
Replies

Enable traffic between 2 internal interfaces (cisco ASA 5516)

edumatics
Level 1
Level 1

‎04-01-2019 11:34 AM - edited ‎02-21-2020 08:59 AM

Hi,

 

i have a cisco ASA 5516 and need to be able to have 2 internal subnet communicate with each other connected to 2 different interfaces

 

 

GigabitEthernet 1/1 is the outside connection

GigabitEthernet 1/2 is the DMZ connection

GigabitEthernet 1/3 in the main inside connection 192.168.0.x

GigabitEthernet 1/4 is the 2nd inside connection 192.168.2.x

Asa can connect to devices within both interfaces but devices cannot communicate another ones on the another interface

 

Please help?!?!

 

Thanks

Edumatics

Here's the configuration


Serial Number: JAD202407ID
Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
ASA Version 9.8(2)17
hostname ASAFCHFW
domain-name mydomain.com
enable password $sha512$5000$pt2nRGQbSXA8K3vdow+Ztg==$kGNfDJREqQCQ+jO7m0bxmQ== pbkdf2
names
no mac-address auto

interface GigabitEthernet1/1
nameif Outside
security-level 0
ip address x.x.x.131 255.255.255.240
interface GigabitEthernet1/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.240
interface GigabitEthernet1/3
nameif Inside
security-level 100
ip address 192.168.0.2 255.255.255.0
interface GigabitEthernet1/4
nameif Branch_Office
security-level 100
ip address 192.168.2.1 255.255.255.0
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
interface Management1/1
management-only
nameif management
security-level 0
ip address 192.168.200.10 255.255.255.0
banner exec # WARNING!! Unauthorized Access Prohibited!! #
banner login # WARNING!! Unauthorized Access Prohibited!! #
banner motd # WARNING!! Unauthorized Access Prohibited!! #
boot system disk0:/asa982-17-lfbff-k8.SPA
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network WWW-Internet
host x.x.x.133
object network WWW-DMZ
host 172.16.31.3
object network WebSeg-Internet
host x.x.x.133
object network WebSeg-DMZ
host 172.16.31.3
object network Email-Internet
host x.x.x.141
object network Email-DMZ
host 172.16.31.6
object network DNS-Internet
host x.x.x.130
object network DNS-DMZ
host 172.16.31.2
object-group network Branch-NETWORKS
network-object 192.168.2.0 255.255.255.0
network-object 192.168.14.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object 192.168.17.0 255.255.255.0
network-object 192.168.18.0 255.255.255.0
network-object 192.168.19.0 255.255.255.0
network-object 172.16.2.0 255.255.255.252
object-group network Inside-Network
network-object 192.168.0.0 255.255.255.0
access-list 100 extended permit tcp any object WWW-Internet eq www
access-list 100 extended permit tcp any object WebSeg-Internet eq https
access-list 100 extended permit tcp any object DNS-Internet eq domain
access-list 100 extended permit tcp any object Email-Internet eq smtp
access-list Outside extended permit icmp any4 any4 echo
access-list Inside extended permit ip any4 any4
access-list Branch_Office_access_in extended permit ip any4 any4
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
mtu Branch_Office 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (DMZ,Outside) source static WWW-DMZ WWW-Internet
nat (DMZ,Outside) source static WebSeg-DMZ WebSeg-Internet
nat (DMZ,Outside) source static DNS-DMZ DNS-Internet
nat (DMZ,Outside) source static Email-DMZ Email-Internet
nat (Branch_Office,Inside) source static Branch-NETWORKS Branch-NETWORKS
nat (Inside,Branch_Office) source static Inside-Network Inside-Network
nat (Inside,Outside) after-auto source dynamic any interface
nat (DMZ,Outside) after-auto source dynamic any interface
access-group 100 in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.129 1
route Branch_Office 172.16.2.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.14.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.15.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.16.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.17.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.18.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.19.0 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎04-01-2019 01:39 PM

You have rules same security level can access each other.

 

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

 

If you like other interface need to contact each other, you need to have ACL in place

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

edumatics
Level 1
Level 1
In response to balaji.bandi

‎04-01-2019 01:44 PM

Can you suggest an acl

0 Helpful

edumatics
Level 1
Level 1
In response to edumatics

‎04-03-2019 07:48 AM

Anyone can help?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to edumatics

‎04-03-2019 08:30 AM

Apologies for the delay -

 

For communication between same interface : change as below

 

no access-list Inside extended permit ip any4 any4   < -- is there any reason you have any4 ?

access-list Inside extended permit ip any any

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card