Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
311
Views
0
Helpful
3
Replies

Route between interfaces with same security level

BPGaven00
Level 1
Level 1

‎10-07-2015 04:46 PM - edited ‎03-05-2019 02:29 AM

I have an ASA 5515-X.  My ISP provides me a /30 for the link and a /27 for my public IP space.  How do I set up routing between the two?  I have set the security level on both to 0.  One interface called outside for the /30 link and one called DMZ for the /27 subnet.  Plan is to have one physical server on the DMZ and the rest mapped to LAN addresses via NAT.  My problem is that the ASA does not appear to be routing between the outside and DMZ.

I'm planning on having the ACLs between the DMZ and the LAN - same as the NAT rules.  Right now I'm only testing with the physical server.  Here's a basic breakdown of the configuration I have set up now:

 

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/4
nameif DMZ
security-level 50
ip address 2.2.2.1 255.255.255.224
!
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
!
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

 

To be clear, I just want a regular route between outside and DMZ - no NAT.

Labels:
0 Helpful
3 Replies 3

johnlloyd_13
Level 9
Level 9

‎10-07-2015 09:56 PM

hi,

you could configure the DMZ to have a security-level of 100 and add same-security-traffic permit inter-interface in global config.

 

same-security-traffic permit inter-interface

interface GigabitEthernet0/4
nameif DMZ
security-level 100

0 Helpful

BPGaven00
Level 1
Level 1
In response to johnlloyd_13

‎10-08-2015 05:14 PM

I've tried security-level 0 on both outside and DMZ but that doesn't not appear to work.  I already have both of these in the config:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

0 Helpful

Karsten Iwen
VIP
VIP

‎10-07-2015 10:53 PM

If you want to split the addresses between hosts on the DMZ and on the internal network (with NAT) there is nothing that has to be done with routing (or the security-level). Some things to look at:

If the provider has configured the /27 as secondary addresses on his router, then you need the command "arp permit-nonconnected". If the ISP routes the addresses to your ASA-IP, then this command is not needed.

You can only use the public addresses directly in the DMZ if the ISP routes the /27 to your ASA. But you have to configure the DMZ with only a part of the addresses (2.2.2.1/30 for the ASA, 2.2.2.2/30 for the host). All the other addresses can then be used for NAT. Or you configure the DMZ with private addresses and use the whole /27 only for NAT.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card