10-11-2009 02:43 PM - edited 03-11-2019 09:25 AM
I cannot open shared network drive and ping between two interfaces with same security level.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
nameif inside_wlan
security-level 100
ip address 10.10.10.1 255.255.255.0
!
same-security-traffic permit inter-interface
access-list outside_access_in extended permit icmp any any echo-reply
access-list inside_access_in extended permit tcp object-group network_group_inside any object-group service_group_inside2otside_tcp
access-list inside_access_in extended permit udp object-group network_group_inside any object-group service_group_inside2outside_udp
access-list inside_access_in extended permit icmp any any
access-list inside_wlan_access_in extended permit tcp object-group network_group_inside_wlan any object-group service_group_inside_wlan2otside_tcp
access-list inside_wlan_access_in extended permit udp object-group network_group_inside_wlan any object-group service_group_inside_wlan2outside_udp
access-list inside_wlan_access_in extended permit icmp any any
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside_wlan) 1 10.10.10.0 255.255.255.0
static (inside,outside) tcp interface 4662 home 4662 netmask 255.255.255.255
static (inside,outside) udp interface 4672 home 4672 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group inside_wlan_access_in in interface inside_wlan
Solved! Go to Solution.
10-11-2009 05:51 PM
I believe you need the following:
static (inside,inside_wlan) 192.168.1.0 192.168.1.0 net 255.255.255.0
Pls. enable logging:
loggin on
logging buffered 7
sh logg | i 192.168.1.x
When you ping the 10.10.10.x host from a 192.68.1.x host.
Here is the link for same security intra/inter:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wpxref77088
10-11-2009 05:51 PM
I believe you need the following:
static (inside,inside_wlan) 192.168.1.0 192.168.1.0 net 255.255.255.0
Pls. enable logging:
loggin on
logging buffered 7
sh logg | i 192.168.1.x
When you ping the 10.10.10.x host from a 192.68.1.x host.
Here is the link for same security intra/inter:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wpxref77088
10-11-2009 07:03 PM
Thank you for help.
After that I did
static (inside,inside_wlan) 192.168.1.0 192.168.1.0 net 255.255.255.0
I got this log from ASA 5505:
Oct 11 2009 22:58:37 ciscoasa : %ASA-6-302020: Built inbound ICMP connection for faddr home/0 gaddr 192.168.1.1/0 laddr 192.168.1.1/0
Oct 11 2009 22:58:37 ciscoasa : %ASA-6-302021: Teardown ICMP connection for faddr home/0 gaddr 192.168.1.1/0 laddr 192.168.1.1/0
And from Kiwi log viwer:
ciscoasa : %ASA-3-305005: No translation group found for icmp src inside:home dst inside_wlan:lp-mekael (type 8, code 0)
10-11-2009 07:15 PM
I added one more line and it began to work.
Can you explain me by short explanation why it works.
static (inside,inside_wlan) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside_wlan,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
10-12-2009 04:28 AM
The static line is required because you have nat/global configured for those 192 and 10 networks.
Once you provide a nat/global then, the flow will require translation for any other flow between any other interfaces meaning NO NAT-CONTROL will not have any effect and it will be considered NAT-CONTROL. We just provided the identity translation that it needs.
That is all.
If you did not have the nat/global for both these networks then, the no nat-control in the configuration would have kicked in and there would not have been a need to add identity static to get this to work.
I hope this is clear. If not pls. let us know.
10-12-2009 07:17 AM
Thank you for your help !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide