Re: ASA5510 port forwading

rkojima · ‎08-19-2005

Config:

interface Ethernet0/0

nameif outside

security-level 0

interface Ethernet0/1

nameif inside

security-level 100

Since some dedicated networks are connected to the inside LAN, this ASA has static routing (route inside x.x.x.x ...), and the inside is all clients' default gw.

Then I found incoming traffic can't be routed to next hops. I think PIX can't do this. Is this possible on ASA. Or do I need to some more settings?

TIA,

rkojima · ‎08-22-2005

Let me follow up,

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.25.1.1 255.255.0.0

route inside 10.50.0.0 255.255.0.0 172.25.1.3 1

Ping from 172.25.1.100 to 10.50.17.10 is unreachable.

10.50.17.10 is existing beyond the router with ip address: 172.25.1.3, and it is reachable from the router.

Log says,

%ASA-3-106014: Deny inbound icmp src inside:172.25.1.100 dst inside:10.50.17.10 (type 8, code 0)

shijogeorge · ‎08-30-2005

Hi,

Please try adding the following command.

same-security-traffic permit intra-interface

Let me know if this helps.

Regards,

Shijo George.

rkojima · ‎08-31-2005

Thank you very much for your reply.

I tried both

same-security-traffic permit inter-interface

and

same-security-traffic permit intra-interface

However, I still get this message,

%ASA-3-106014: Deny inbound icmp src inside:172.25.1.100 dst inside:10.50.17.10 (type 8, code 0)

In my case,

- IP traffic, not IPSec

- incoming and outgoing interfaces are the same (inside interface)

- At the inside interface, incoming traffic should be routed by static route to another hop on inside LAN. But it is denied by ASA.

Do you have any idea?