Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1270
Views
0
Helpful
7
Replies

Passing traffic across interfaces with same security levels.

ddevecka
Level 1
Level 1

‎10-12-2015 05:47 AM - edited ‎03-11-2019 11:44 PM

I am trying to pass traffic across 2 interfaces with the same security levels and I can't seem to get it to work past the Firewall its self. I can ping across the firewall to the other network, but I can't get this to function from a network PC. I am running and ASA 5505, and I have enter the same-security commands as well.

 

Any help would be appreciated.

Labels:
Preview file
7 KB
0 Helpful
7 Replies 7

Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-12-2015 01:03 PM

Hi,

From the configuration it looks like 'nat-control's is enabled and it is dropping as there is no nat for the traffic.

I could see that you have configured nat-exemption for inside network. Please use the below command :

access-list inside_nat0_outbound line 1 extended permit ip 192.168.153.0 255.255.255.0 192.168.169.0 255.255.0.0

It should work.

 

Rate if it helps!

Regards,

Akshay Rastogi

0 Helpful

ddevecka
Level 1
Level 1
In response to Akshay Rastogi

‎10-14-2015 12:05 PM

Tried that and it didn't work.

0 Helpful

Akshay Rastogi
Cisco Employee
Cisco Employee
In response to ddevecka

‎10-14-2015 12:48 PM

Hi,

Please provide the output of :

packet-tracer input inside tcp 192.168.153.x 12345 192.168.169.x 12345 det

packet-tracer input inside1 tcp 192.168.169.x 23343 192.168.153.x 22212 det

 

Regards,

Akshay Rastogi

0 Helpful

ddevecka
Level 1
Level 1
In response to Akshay Rastogi

‎10-15-2015 12:33 PM

Here are the results.

Preview file
3 KB
Preview file
2 KB
0 Helpful

Akshay Rastogi
Cisco Employee
Cisco Employee
In response to ddevecka

‎10-15-2015 01:00 PM

Hi,

Are these packet-tracer output taken after the access-list i asked to add?

Also, i could see that you ran packet-tracer for destination 192.168.168.x. I believe your concerned traffic was '192.168.169.x' ?

It says it is dropped at Access-list level. For testing purpose please add 'permit ip any any' on both the interfaces (153 and 169)

Regards,

Akshay Rastogi

0 Helpful

ddevecka
Level 1
Level 1
In response to Akshay Rastogi

‎10-15-2015 01:24 PM

Yes they are. I re-ran them just to be safe.

Preview file
2 KB
Preview file
2 KB
0 Helpful

ealiev
Cisco Employee
Cisco Employee
In response to ddevecka

‎10-15-2015 05:43 AM

Hi,

Could you also provide the output from these commands:

cap cap_probe type asp-drop all

cap cap_inside match ip host 192.168.153.x host 192.168.169.x

cap cap_inside1 match ip host 192.168.169.x  host 192.168.153.x

 

And try to enable icmp inspection

policy-map global_policy
 class inspection_default
  inspect icmp

 

Regards,

Ergin

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card