10-12-2015 05:47 AM - edited 03-11-2019 11:44 PM
I am trying to pass traffic across 2 interfaces with the same security levels and I can't seem to get it to work past the Firewall its self. I can ping across the firewall to the other network, but I can't get this to function from a network PC. I am running and ASA 5505, and I have enter the same-security commands as well.
Any help would be appreciated.
10-12-2015 05:58 AM
You can try exempting the traffic from inside to inside1 from NAT.
As is, the configuration will cause that traffic to hit the global NAT rule.
10-12-2015 06:50 AM
I am newer to ASA, so how would I do this?
10-12-2015 07:34 AM
Add an entry in your access list as follows:
access-list inside_nat0_outbound extended permit ip 192.168.153.0 255.255.255.0 192.168.169.0 255.255.0.0
That will make sure the ASA does not NAT the traffic between those two interfaces.
10-12-2015 11:39 AM
Just tried that and I still can't ping from the network. All is working from the ASA but not the network.
10-12-2015 11:43 AM
Please run the following command and share the output:
packet-tracer input inside icmp 192.168.153.10 0 0 192.168.169.10
(The specific source and destination IP addresses aren't critical as long as they are valid within their respective subnets - this just tests the logic of the ASA configuration for passing pings from one subnet to the other.)
10-12-2015 12:29 PM
10-12-2015 01:07 PM
The output shows you are still hitting "nat 1" and not "nat 0" (exemption).See phase 6 where it tells us:
nat (inside) 1 0.0.0.0 0.0.0.0
and following it highlights the problem:
translate_hits = 140, untranslate_hits = 0
I realize I made a typo in the access-list entry I suggested: the destination netmask should be /24 (although the more general netmask should still cover it):
access-list inside_nat0_outbound extended permit ip 192.168.153.0 255.255.255.0 192.168.169.0 255.255.255.0
Can you try that and also provide the output of:
show run access-list inside_nat0_outbound
...and rerun the packet-tracer.
10-12-2015 01:35 PM
10-14-2015 12:07 PM
Did you have any further ideas on this?
10-14-2015 12:17 PM
Hi,
If i understand it correctly , you are trying to ping from a PC in Subnet:-
192.168.169.x(Network) from the 192.168.153.x subnet(inside)
With the same configuration , first try enabling this command:-
fixup protocol icmp
If this doesn't work , try this:-
Remove the NAT exempt and configure this NAT statement:-
global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 global (network) 1 interface
Let me know if this works ?
Thanks and Regards,
Vibhor Amrodia
10-14-2015 12:23 PM
I am trying to ping the interfaces on far end interface from the 192.168.152.X side.
So I am on a machine on the 192.168.153.X side and I am just trying to ping the 192.168.169.2 interface.
10-14-2015 12:25 PM
I will have to wait till after business hours tomorrow to do the other as this is a production firewall.
10-14-2015 12:26 PM
Fixup did not work.
10-14-2015 12:33 PM
I thought with the same-security-traffic command you could communicate across interfaces with same security levels.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide