hi johnnylingo,

thank you for your reply. the NAT is totally different in 8.6. do you knw how i can create a NAT to make this work ?

Usess Access List To Permit Traffic

access-list LANtoLAN extended permit ip any any

access-group LANtoLAN in interface ABC

access-groupLANtoLAN in interface XYZ

****Do Rate Helpful Post***

hi Jawad Mukhtar

hi alreday have the below acl

access-group ABC_in in interface ABC

access-group XYZ_in in interface XYZ

access-list ABC_in extended permit icmp any any

access-list XYZ_in extended permit icmp any any

but still no luck.

Paste Your Running Config (leave Pass Blank)

Hi Jawad Mukhtar,

-----------------------------------------

!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.20
vlan 20
nameif IMIC
security-level 100
ip address 10.20.20.1 255.255.255.0
!

interface GigabitEthernet0/1.30
vlan 30
nameif AS
security-level 100
ip address 10.20.30.1 255.255.255.0
!
interface GigabitEthernet0/1.40
vlan 40
nameif SERVER
security-level 100
ip address 10.20.40.1 255.255.255.0
!
interface GigabitEthernet0/1.50
vlan 50
nameif AP
security-level 100
ip address 10.20.50.1 255.255.255.0

ftp mode passive

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network IMIC-NAT
subnet 10.20.20.0 255.255.255.0
description IMIC-NAT

object network AS
subnet 10.20.30.0 255.255.255.0

access-list im_access_in extended permit icmp any any
access-list im_access_in extended permit ip 10.20.20.0 255.255.255.0 any
access-list as_access_in extended permit icmp any any
access-list as_access_in extended permit ip 10.20.30.0 255.255.255.0 any

pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu IMIC 1500
mtu AS 1500
mtu SERVER 1500
mtu AP 1500

mtu INTERNET 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any IMIC
icmp permit any AS
no asdm history enable
arp timeout 14400

nat (IMIC,AS) source static IMIC-NAT IMIC-NAT
nat (AS,IMIC) source static AS AS

access-group outside_access_in in interface OUTSIDE
access-group im_access_in in interface IMIC
access-group as_access_in in interface AS
access-group internet_access_in in interface INTERNET

route OUTSIDE 0.0.0.0 0.0.0.0 123.231.35.XX 1
route INTERNET 88.87.45.XX 255.255.255.255 172.16.1.1 1
route INTERNET 88.87.45.XX 255.255.255.255 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.20.20.11 255.255.255.255 IMIC
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.20.20.11 255.255.255.255 IMIC
ssh timeout 60
console timeout 0
dhcpd address 10.20.20.20-10.20.20.254 IMIC
dhcpd dns 203.189.78.162 203.189.78.170 interface IMIC
dhcpd enable IMIC
!
dhcpd address 10.20.30.20-10.20.30.254 AS
dhcpd dns 203.189.78.162 203.189.78.170 interface AS
dhcpd enable AS
!
dhcpd address 10.20.50.20-10.20.50.254 AP
dhcpd dns 203.189.78.162 203.189.78.170 interface AP
dhcpd enable AP
<--- More --->
             
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
<--- More --->
             
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:eed0361ca8ad726ae58dacf6eb5568d2
: end
[OK]

Do Nat 0

NAT 0 means"Do Not Translate"

access-list NONATABC extended permit ip 10.20.100.0 255.255.255.0 10.20.200.0 255.255.255.0

access-list NONATXYZ extended permit ip 10.20.200.0 255.255.255.0 10.20.100.0 255.255.255.0

nat (ABC) 0 access-list NONATABC

nat (DEF) 0 access-list NONATDEF

Do Rate Helpful Posts

Hi Jawad Mukhtar

Thank you for your reply , but i get the following error on the nat command

nat (ABC) 0 access-list NONATABC

ERROR: This syntax of nat command has been deprecated.

Please refer to "help nat" command for more details.

As in your config you dont have Interface ABC and XYZ it was just an example.  U can do NOnat in above mentioned example.  Well you can add your Interface.

Like

IMIC

AS

Hope so u got my point

I took a closer look by using a packet capture and found the ASA is just eating the flow.  For example, a ping from the inside network to outside IP address enters the inside interface and then just dies.  The ASA doesn't even send an unreachable packet back.  The packet trace tool says this:

RESULT - The packet is dropped.

Input Interface: Inside

Output Interface: NP Identity Ifc

I was thinking idenity NAT would change this behavior, but don't know if that's supported in 8.3 and above. 

Here's a similar thread, and the consensus there seems to be there is no work-around for this behavior

https://learningnetwork.cisco.com/thread/4689

Jawad Mukhtar

I did the NAT as you said using my real interface name but the 8.3 CLI gives thats error. may be that kind of NAT command is no longer working.

johnnylingo,

i can ping host between inside and outside. its juz that i cant ping subinterface of inside interfacae.

Wat i got from you u want to ping host behind sub interfaces.

e.g

One host behind sub interface 1 can ping other other behind sub interface 2.

Jawad Mukhtar,

you almost correct , but i can ping host/s cross wise within the subinterface.

E.g

Host A is in subinterface 0.1

Host B is in subinterface 0.2

I can not ping subinterface 0.2 (ip address) from host A . but i can ping any host IP address inside the 0.2 network from host A.

The ASA is a security device will not allow you to ping  a distant interface....