08-19-2005 03:17 PM - edited 03-09-2019 12:12 PM
Config:
interface Ethernet0/0
nameif outside
security-level 0
interface Ethernet0/1
nameif inside
security-level 100
Since some dedicated networks are connected to the inside LAN, this ASA has static routing (route inside x.x.x.x ...), and the inside is all clients' default gw.
Then I found incoming traffic can't be routed to next hops. I think PIX can't do this. Is this possible on ASA. Or do I need to some more settings?
TIA,
08-22-2005 12:43 PM
Let me follow up,
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.25.1.1 255.255.0.0
route inside 10.50.0.0 255.255.0.0 172.25.1.3 1
Ping from 172.25.1.100 to 10.50.17.10 is unreachable.
10.50.17.10 is existing beyond the router with ip address: 172.25.1.3, and it is reachable from the router.
Log says,
%ASA-3-106014: Deny inbound icmp src inside:172.25.1.100 dst inside:10.50.17.10 (type 8, code 0)
08-30-2005 03:25 AM
Hi,
Please try adding the following command.
same-security-traffic permit intra-interface
Let me know if this helps.
Regards,
Shijo George.
08-31-2005 11:47 AM
Thank you very much for your reply.
I tried both
same-security-traffic permit inter-interface
and
same-security-traffic permit intra-interface
However, I still get this message,
%ASA-3-106014: Deny inbound icmp src inside:172.25.1.100 dst inside:10.50.17.10 (type 8, code 0)
In my case,
- IP traffic, not IPSec
- incoming and outgoing interfaces are the same (inside interface)
- At the inside interface, incoming traffic should be routed by static route to another hop on inside LAN. But it is denied by ASA.
Do you have any idea?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide