cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1025
Views
0
Helpful
1
Replies

Problem with intra-interface routing on ASA

jmandersson
Level 1
Level 1

Hi Experts!

I´ve just set up an ASA5510 the intra-interface routing is not working as i expected. My topology is precisly as in the http://www.cisco.com/image/gif/paws/71342/intra-interface-communications-5.gif.  The client have the ASA as their default gateway and then i have a second firewall on the same subnet.  I´ve used the "same-securty-level permit intra-interface" and a static route (the default route points to outside), icmp (and probably udp) works fine but not TCP. I´ve read a lot of explentations why it doesnt work and some solutions but i doesn´t help. According to :http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml everthing should just work fine with that only command

I tried this

access-list INTRA_INTERFACE permit ip 192.168.93.0 255.255.255.0 any

nat (inside) 1 access-list INTRA_INTERFACE

global (inside) 1 interface

But the then i didn´t get any traffic through the ASA

Do you guys have any suggestions?

Best regards

jmandersson

1 Reply 1

Maykol Rojas
Cisco Employee
Cisco Employee

Hello

I assume that the 192.168.93.0 is the network directly connected to the ASA. There is something missing, remember that the network you are trying to reach is also on a high security level.. or on the same security level... so it needs a translation as well.... lets assume that the network behind the second firewall is 10.10.10.0/24, so on the first firewall you will need the following configuration

static (inside,inside) 10.10.10.0 10.10.10.0

and on the second firewall you will need the following line in order to avoid nat on the second firewall when going to the 93 network

access-list nat0 permit ip 10.10.10.0 255.255.255.0 192.168.93.0 255.255.255.0

nat (inside) 0 access-list nat0

The ICMP is working because it doesnt care about the sequence of ICMP messages, if you put the inspection, it will die.

Try this out and let me know.

Mike

Mike
Review Cisco Networking for a $25 gift card