03-09-2011 04:44 PM - edited 03-11-2019 01:03 PM
I have setup two different subnet 192.168.1.0 and 192.168.2.0 on the same 'inside' interface. They are unable talking to each other. I can ping from firewall to both subnet. Both side unable talking to each other unless I add route on the both side systems.
I have added the followings in ASA5510
same-security-traffic permit intra-interface
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 Do I miss something? Thanks MF
03-09-2011 05:07 PM
can you add more details about the topology and the config. Both subnets are on the same interface wiithout any other L3 device dividing the subnets?
What is the IP of the inside interface of the ASA and what is the default gateway for each subnet?
03-09-2011 05:55 PM
Here is the layout:
ASA5510 -
inside (192.168.1.1) ---> 192.168.1.0 ---> 192.168.1.254 --->HP switch (L3 switch) ---> 192.168.2.1 ------> 192.168.2.0
192.168.1.0 --- G/W 192.168.1.1
192.168.2.0 -- G/W 192.168.2.1
HP Switch
vlan1 -- 192.168.1.254
vlan2 -- 192.168.2.1
Thanks,
MF
03-09-2011 06:05 PM
now i get the picture.
I think you are missing a nat statement.
try:
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat
03-09-2011 06:15 PM
Already has it. access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0nat (Inside) 0 access-list nonat
03-09-2011 06:21 PM
can you check your logs while you test the connection? how are you testing?
Could you addionally add the following:
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
03-09-2011 06:43 PM
Nope. It doesn't work.
Log has enable and show in real time. I was able to ping and shown icmp from the log. RDP from 192.168.1.x to 192.168.2.x shown nothing in the log.
03-10-2011 06:15 AM
the default gateway for the users on the 192.168.1.0 is the ASA correct? Your ASA has a route for the 192.168.2.0?
03-10-2011 06:49 AM
The default gateway for the users on the 192.168.1.0 is the ASA. The G/W is 192.168.1.1
static (Inside,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
route Inside 192.168.2.0 255.255.255.0 192.168.1.254 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide