Showing results for 
Search instead for 
Did you mean: 


problem with static nat


I am running an ASA 8.2 code.  I have a public ip address defined on one of my interfaces and all internal traffic is pat'd to that, it works well.  we asked for another public scope from the isp and we defined that on another interface of the firewall.  on this new  interface we have a device with an ip address within the new (public scope) but the problem it cannot be accessed from the internet, we know it's now an isp issue. 

we can ping this device from the new interface but not from the old public ip interface.  i am pretty sure we are missing a static nat that allows traffic to communicate from the new to the old public segment defined on two different interfaces.

pls help

Julio Carvajal

Hello Ronni Ronni,

They are both outside interface so I guess they have the same security level.

Do you have configured the same-security-level permit inter-interface

If you like you can post the running configuration and we can take a deeper look on this.



Julio Carvajal
Senior Network Security and Core Specialist

yes I have same-security-level permit inter-interface.

Here is the config, I removed all the unncessary info such as vpn tunnels... if you see eth0/0 is our primary path to the internet and it has a public ip and eth0/3 is the 2nd one.  I have a bunch of allowed acl's to allow traffic to eth0/0 from the outside but removed those acl's from here, but i do have a permit ip any any to all outside traffic going the sip interface whitch is eth0/3

we have no issues with eth0/0 but when i connect a device to eth0/3 with an ip of the same segment it is not accessible from the internet.  note that there is no need to nat anything because the device has also a pulbic ip

interface Ethernet0/0
description primary internet
speed 100
duplex full
nameif outside
security-level 0
ip address
interface Ethernet0/1
description internal network
nameif inside
security-level 100
ip address
interface Ethernet0/2
description DMZ
nameif dmz
security-level 50
ip address
interface Ethernet0/3
description secondary internet
speed 100
duplex full
nameif sip
security-level 0
ip address
interface Management0/0
no nameif
no security-level
no ip address
boot system disk0:/asa824-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

tcp-map allow-probes
  tcp-options range 76 78 allow

mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu sip 1500

icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any sip
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1

access-group outside_in in interface outside
access-group inside_access_in in interface inside
access-group sip_traffic in interface sip
route outside

access-list sip_traffic extended p