Solved: Re: Second internal interface ASA 5510

swappedsr · ‎05-24-2012

I am trying to setup a second internal network using interface 0/2 on the ASA. Basically, where I am at now is:

ASA

INTERFACE ETHERNET0/0

nameif outside

security-level 0

ip address x.x.x.130 255.255.255.128

INTERFACE ETHERNET0/1

nameif inside

security-level 100

ip address 10.185.10.11 255.255.255.0

INTERFACE ETHERNET0/2

nameif inside_2

security-level 100

ip address 192.168.10.10 255.255.255.0

I have a switch coming off of this second interface of the ASA and a client with a static ip of 192.168.10.30.

I am not sure what I need to do for NAT on this second interface, I am assuming this is my only issue not being able to get out on the internet. Anybody have any idea how to set this up. Natting works just find on our 10.185.10.x network.

Thanks, Bob

Julio Carvajal · ‎05-24-2012

Hello,

Nat (inside_2) 1 0 0

If that does not do it please share the running configuration.

Regards,

Julio

Rate all the posts that help

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎05-25-2012

Hello,

In order to do that you will need the following command:

same-security-traffic permit inter-interface.

global (inside2) 10 interface

global (inside1) 10 interface

Regards,

Do rate all the posts that help

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎05-24-2012

Hello,

Nat (inside_2) 1 0 0

If that does not do it please share the running configuration.

Regards,

Julio

Rate all the posts that help

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

swappedsr · ‎05-24-2012

Sounds good, can you explain what that means exactly, the 1 0 0 part.

Thanks for the prompt response!

Also, I assume since these two internal networks are at the same security level, by default, they won't be able to contact each other, correct? I actually want it so they cannot reach each other.

Julio Carvajal · ‎05-24-2012

Hello,

Its saying please nat everything behind the Inside2 interface.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

swappedsr · ‎05-25-2012

Hi Julio, everything works. The only thing I change was from group 1 to 10. 10 is the group we are using for the global NAT range. Everything worked after that. Now, one last thing, I am assuming there will be no communication between the two internal networks because they are at the same security level, how could if I needed too, have these networks communicate to each other.

Julio Carvajal · ‎05-25-2012

Hello,

In order to do that you will need the following command:

same-security-traffic permit inter-interface.

global (inside2) 10 interface

global (inside1) 10 interface

Regards,

Do rate all the posts that help

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

swappedsr · ‎05-30-2012

Hey Julio thanks for the help! Can you explain what the global (inside2) 10 interface means?

Julio Carvajal · ‎05-30-2012

Hello,

When NAT control is enabled the traffic will hit a nat statement, then we need to have a global.

That is the purpose of the global in here.

Is everything working as expected now??

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC