I thought with the same

ddevecka · ‎10-12-2015

I am trying to pass traffic across 2 interfaces with the same security levels and I can't seem to get it to work past the Firewall its self. I can ping across the firewall to the other network, but I can't get this to function from a network PC. I am running and ASA 5505, and I have enter the same-security commands as well.

Any help would be appreciated.

Marvin Rhoads · ‎10-12-2015

You can try exempting the traffic from inside to inside1 from NAT.

As is, the configuration will cause that traffic to hit the global NAT rule.

ddevecka · ‎10-12-2015

I am newer to ASA, so how would I do this?

Marvin Rhoads · ‎10-12-2015

Add an entry in your access list as follows:

access-list inside_nat0_outbound extended permit ip 192.168.153.0 255.255.255.0 192.168.169.0 255.255.0.0

That will make sure the ASA does not NAT the traffic between those two interfaces.

ddevecka · ‎10-12-2015

Just tried that and I still can't ping from the network. All is working from the ASA but not the network.

Marvin Rhoads · ‎10-12-2015

Please run the following command and share the output:

packet-tracer input inside icmp 192.168.153.10 0 0 192.168.169.10

(The specific source and destination IP addresses aren't critical as long as they are valid within their respective subnets - this just tests the logic of the ASA configuration for passing pings from one subnet to the other.)

ddevecka · ‎10-12-2015

Here is the output.

Marvin Rhoads · ‎10-12-2015

The output shows you are still hitting "nat 1" and not "nat 0" (exemption).See phase 6 where it tells us:

nat (inside) 1 0.0.0.0 0.0.0.0

and following it highlights the problem:

translate_hits = 140, untranslate_hits = 0

I realize I made a typo in the access-list entry I suggested: the destination netmask should be /24 (although the more general netmask should still cover it):

access-list inside_nat0_outbound extended permit ip 192.168.153.0 255.255.255.0 192.168.169.0 255.255.255.0

Can you try that and also provide the output of:

show run access-list inside_nat0_outbound

...and rerun the packet-tracer.

ddevecka · ‎10-12-2015

I caught the subnet and fixed it before entering.

ddevecka · ‎10-14-2015

Did you have any further ideas on this?

Vibhor Amrodia · ‎10-14-2015

Hi,

If i understand it correctly , you are trying to ping from a PC in Subnet:-

192.168.169.x(Network) from the 192.168.153.x subnet(inside)

With the same configuration , first try enabling this command:-

fixup protocol icmp

If this doesn't work , try this:-

Remove the NAT exempt and configure this NAT statement:-

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
global (network) 1 interface

Let me know if this works ?

Thanks and Regards,

Vibhor Amrodia

ddevecka · ‎10-14-2015

I am trying to ping the interfaces on far end interface from the 192.168.152.X side.

So I am on a machine on the 192.168.153.X side and I am just trying to ping the 192.168.169.2 interface.

ddevecka · ‎10-14-2015

I will have to wait till after business hours tomorrow to do the other as this is a production firewall.

ddevecka · ‎10-14-2015

Fixup did not work.

ddevecka · ‎10-14-2015

I thought with the same-security-traffic command you could communicate across interfaces with same security levels.

Passing traffic across interfaces with same security levels.