cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
758
Views
0
Helpful
8
Replies

Two subnet unable to talk to each other on same 'inside' interface

members1st
Beginner
Beginner

I have setup two different subnet 192.168.1.0 and 192.168.2.0 on the same 'inside' interface. They are unable talking to each other. I can ping from firewall to both subnet. Both side unable talking to each other unless I add route on the both side systems.

I have added the followings in ASA5510

same-security-traffic permit intra-interface

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0 

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 


Do I miss something?

Thanks

MF


8 Replies 8

PAUL GILBERT ARIAS
Contributor
Contributor

can you add more details about the topology and the config. Both subnets are on the same interface wiithout any other L3 device dividing the subnets?

What is the IP of the inside interface of the ASA and what is the default gateway for each subnet?

Here is the layout:

ASA5510 -

inside (192.168.1.1) ---> 192.168.1.0 ---> 192.168.1.254  --->HP switch (L3 switch)  ---> 192.168.2.1 ------> 192.168.2.0

192.168.1.0 --- G/W 192.168.1.1

192.168.2.0 -- G/W 192.168.2.1

HP Switch

vlan1 -- 192.168.1.254

vlan2 -- 192.168.2.1

Thanks,

MF

now i get the picture.

I think you are missing a nat statement.

try:

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

nat (inside) 0 access-list nonat

Already has it.
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (Inside) 0 access-list nonat

can you check your logs while you test the connection? how are you testing?

Could you addionally add the following:

static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Nope. It doesn't work.

Log has enable and show in real time. I was able to ping and shown icmp from the log. RDP from 192.168.1.x to 192.168.2.x shown nothing in the log.

the default gateway for the users on the 192.168.1.0 is the ASA correct? Your ASA has a route for the 192.168.2.0?

The default gateway for the users on the 192.168.1.0 is the ASA. The G/W is 192.168.1.1

static (Inside,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

route Inside 192.168.2.0 255.255.255.0 192.168.1.254 1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: