06-09-2018 05:20 AM - edited 02-21-2020 07:51 AM
Hi all,
On Asa I have configured 2 internal sub-interfaces GigabitEthernet0/3.50 and GigabitEthernet0/3.70.
Config on both interfaces :
GigabitEthernet0/3.50 (vlan50-192.168.50.1/24) security-level is 80.
GigabitEthernet0/3.50 (vlan70-192.168.70.1/24) security-level is 90
Both subnets which belongs to these interfaces are translated to outside interface.Problem is i want to configure lower security-level interface to have ip connectivity to higher security-level sub interface subnet.When i configure access-list and twice nat for GigabitEthernet0/3.50 , i loose connectivity to outside translation. Need yours help.
Solved! Go to Solution.
06-10-2018 06:19 AM - edited 06-10-2018 07:08 AM
First off, be patient. CSC is a free user-supported forum. If you require answers within an hour then use paid TAC support.
Your:
access-list 50-to-70 extended permit ip object network-OBJ-192.168.50.0 object network-OBJ-192.168.70.0
...will prevent anything not explicitly allowed in that statement. This is because as soon as you apply an ACL to an onterface there is an implicit "deny ip any any" statement at the end.
You should add a second line preventing traffic from 192.168.50.0 to inside networks and then a third with a permit for 192.168.50.0 to any to include internet-bound traffic.
06-09-2018 06:29 AM - edited 06-09-2018 06:29 AM
I`m new to this firewall.Any help appreciated.
06-09-2018 07:58 AM
???????????
06-10-2018 06:19 AM - edited 06-10-2018 07:08 AM
First off, be patient. CSC is a free user-supported forum. If you require answers within an hour then use paid TAC support.
Your:
access-list 50-to-70 extended permit ip object network-OBJ-192.168.50.0 object network-OBJ-192.168.70.0
...will prevent anything not explicitly allowed in that statement. This is because as soon as you apply an ACL to an onterface there is an implicit "deny ip any any" statement at the end.
You should add a second line preventing traffic from 192.168.50.0 to inside networks and then a third with a permit for 192.168.50.0 to any to include internet-bound traffic.
06-10-2018 07:01 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide