Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
3
Replies

not able to communicate from inside to inside interface

Go to solution
shibindong
Level 1
Level 1

‎06-03-2008 01:14 AM - edited ‎03-11-2019 05:54 AM

Please look at the attached network diagram for your information. I added a command:

"same-security-traffic permit intra-interface" on the Internet FW, and I also force the traffic from internal firewall to 172.16.24.22 must pass through Internet FW by adding a route in the internal FW:

"route DMZ 172.16.24.22 255.255.255.255 172.16.24.3"

but this time I got the error message like this:"

%ASA-3-305006: portmap translation creation failed for tcp src inside:172.16.3.50/3925 dst inside:172.16.24.22/443"

and I did configured NAT and PAT on Internet FW, static NAt is used to translate the 172.16.24.22 into public IP and PAT is used to allow 172.16.3.0 to to able to access Internet:

global (outside) 1 2.x.x.41 netmask 255.255.255.224

global (outside) 2 2.x.x.42 netmask 255.255.255.224

nat (inside) 1 172.16.3.0 255.255.255.0

nat (inside) 2 172.16.2.0 255.255.255.0

static (inside,outside) 2.x.x.40 172.16.24.22 netmask 255.255.255.255

someone has the solution for this?

Labels:
Preview file
34 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Farrukh Haroon

‎06-03-2008 02:28 AM

Actually I think I misunderstood your network, it should be:

global (inside) 1 172.16.24.200

Assuming you already have the same-security-traffic permit intra-interface, as stated in your email.

Regards

Farrukh

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-03-2008 01:24 AM

Put a global statement like this to allow inside users to access the DMZ server.

global (dmz) 1 172.16.24.200

This is just an example. Or use nat-exemption to bypass NAT for this traffic flow (From inside segement to DMZ).

Once you enable dynamic NAT/PAT the whole 'no nat-control' thing blows away (for that zone).

Regards

Farrukh

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-03-2008 01:44 AM

Put a global statement like this to allow inside users to access the DMZ server.

global (dmz) 1 172.16.24.200

This is just an example. Or use nat-exemption to bypass NAT for this traffic flow (From inside segement to DMZ).

Once you enable dynamic NAT/PAT the whole 'no nat-control' thing blows away (for that zone).

Regards

Farrukh

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Farrukh Haroon

‎06-03-2008 02:28 AM

Actually I think I misunderstood your network, it should be:

global (inside) 1 172.16.24.200

Assuming you already have the same-security-traffic permit intra-interface, as stated in your email.

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card