Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1306
Views
5
Helpful
4
Replies

Sub-interface Nat problem

Go to solution
Zamilnewbie
Level 1
Level 1

‎06-09-2018 05:20 AM - edited ‎02-21-2020 07:51 AM

Hi all,

On Asa I have configured 2 internal sub-interfaces GigabitEthernet0/3.50 and  GigabitEthernet0/3.70.

Config on both interfaces :

GigabitEthernet0/3.50 (vlan50-192.168.50.1/24) security-level is 80.

GigabitEthernet0/3.50 (vlan70-192.168.70.1/24) security-level is 90

Both subnets which belongs to these interfaces are translated to outside interface.Problem is i want to configure lower security-level interface to have ip connectivity to higher security-level sub interface subnet.When i configure access-list and twice nat for GigabitEthernet0/3.50  , i loose connectivity to outside translation. Need yours help.

 

 

 

Labels:
Preview file
8 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Zamilnewbie

‎06-10-2018 06:19 AM - edited ‎06-10-2018 07:08 AM

First off, be patient. CSC is a free user-supported forum. If you require answers within an hour then use paid TAC support.

 

Your:

access-list 50-to-70 extended permit ip object network-OBJ-192.168.50.0 object network-OBJ-192.168.70.0

 

...will prevent anything not explicitly allowed in that statement. This is because as soon as you apply an ACL to an onterface there is an implicit "deny ip any any" statement at the end.

 

You should add a second line preventing traffic from 192.168.50.0 to inside networks and then a third with a permit for 192.168.50.0 to any to include internet-bound traffic.

View solution in original post

4 Replies 4

Go to solution
Zamilnewbie
Level 1
Level 1

‎06-09-2018 06:29 AM - edited ‎06-09-2018 06:29 AM

I`m new to this firewall.Any help appreciated.

0 Helpful

Go to solution
Zamilnewbie
Level 1
Level 1

‎06-09-2018 07:58 AM

???????????

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Zamilnewbie

‎06-10-2018 06:19 AM - edited ‎06-10-2018 07:08 AM

First off, be patient. CSC is a free user-supported forum. If you require answers within an hour then use paid TAC support.

 

Your:

access-list 50-to-70 extended permit ip object network-OBJ-192.168.50.0 object network-OBJ-192.168.70.0

 

...will prevent anything not explicitly allowed in that statement. This is because as soon as you apply an ACL to an onterface there is an implicit "deny ip any any" statement at the end.

 

You should add a second line preventing traffic from 192.168.50.0 to inside networks and then a third with a permit for 192.168.50.0 to any to include internet-bound traffic.

Go to solution
Zamilnewbie
Level 1
Level 1
In response to Marvin Rhoads

‎06-10-2018 07:01 AM

Thanks for your attention and answer.Appreciated.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card