Showing results for 
Search instead for 
Did you mean: 

One LAN per interface - not communicating w/each other


I have a Cisco ASA 5510 and we're only using two of the ports on it -- one for LAN and one for WAN. If I assign a third port, how to I get computers I plug into that port to communicate with the other LAN port ( Just set them at the same security level? In ASDM, there is a checkbox at the bottom of the main "Interfaces" page that says "Enable traffic between two or more interfaces which are configured with same secu..." but it doesn't finish the sentence. I'm assuming it finishes with "security levels" but when I check that I can't ping an IP on one interface from the other one I just set up. (i.e. can't ping from a computer on the 192.168.200.x interface). Am I missing something? Seems like a very self explanatory checkbox to me. Thanks!

ASA Version 8.2(2)

ASDM Version 6.2(1)

Firewall mode: Routed

License: Security Plus

Physical Interfaces: Unlimited

VLANS: 100

Speaking of VLANS. I don't see anywhere in ASDM that mentions VLANS. Because the version of ASDM I have, are those options just not available in it and they need to be configured by CLI only? I have seen other ASA's where I can assign VLANS to interfaces but don't have those options on mine.

1 Accepted Solution

Accepted Solutions

cadet alain


change your default gateway back to same subnet IP of the ASA and use static nat identity like I posted above

like this

static (inside,inside-wlan) netmask

test and if ping is still failing don't forget to disable windows firewall on the client

and if it still doesn't work try this

packet-tracer input inside icmp 8 0 detailed and post here



Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

16 Replies 16

cadet alain


post your running config.

yes if you want 2 interfaces with same security level to communicate you must check this box.

I rarely use ASDM to configure ASAs but in the CLI you can put interfaces in vlans without any problem and you should be able to do the same with ASDM.

You should be aware that windows hosts have a software firewall that may be blocking the ping, so you should first check this.



Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks Cadet.

The computers on the new LAN (eth0/2) are successfully getting an IP address from a Windows 2008 DHCP server on the original LAN (eth0/1) via DHCP relay.

Main network: 192.168.100.x/24 -- eth0/1

New network:  192.168.200.x/24 -- eth0/2

IP settings of a DHCP computer on the new network:

IP: (random IP)



DNS 1:

DNS 2:

*Originally I was assigning (the IP assigned to eth0/2) as the gateway for this network but then I thought, because these computers couldn't get internet, that they needed to be configured with the gateway of the "main" network on eth0/1. I don't understand how I can get an IP successfully, but cannot ping the very DHCP server that gave me the IP. ICMP is enabled.

Also, I ran sh run on the ASA and there is a ton of sensetive info (obviously). Is it not possible to explain what I need to do without me posting the entire running config?? Is there a term I can look up that will explain exactly what I want to do?


-do these 2 interfaces possess same security-level ?

-is same-security-traffic permit inter-interface configured ?

-Are there any inbound ACL applied on these 2 interfaces ?

Can you try to configure static identity nat for communicating between these subnets like this:

static (inside,dmz) netmask

Also you must have  the default gateway on the same subnet so for
it must be 192.168.200.x

You can post your config and modify sensitive infos



Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks for the quick response Cadet. Here is the config:

Result of the command: "sh run"

: Saved


ASA Version 8.2(2)


hostname c-pix-yay


enable password encrypted

passwd encrypted


name DHCP-Relay-Server description DHCP Relay Server for 200 subnet


interface Ethernet0/0

description from Fiber

speed 100

duplex full

nameif Fiber

security-level 0

ip address Fiber_IP


interface Ethernet0/1

description inside lan

speed 100

duplex full

nameif inside

security-level 100

ip address


interface Ethernet0/2

description inside wlan network

nameif inside-wlan

security-level 100

ip address


interface Ethernet0/3

description From comcrap

speed 100


nameif comcrap

security-level 1

ip address


interface Management0/0


nameif management

security-level 100

ip address



boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup Fiber

dns domain-lookup inside

dns domain-lookup inside-wlan

dns domain-lookup comcrap

dns server-group DefaultDNS

name-server DHCP-Relay-Server



same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP tcp-udp

port-object eq

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service Asterisk-http-tcp

port-object eq

access-list inside_nat0_outbound extended permit ip VPN_Connection_Profile_0

access-list inside_nat0_outbound extended permit ip AWS-VPC

access-list inside_nat0_outbound extended permit ip

access-list remotevpn_splitTunnelAcl standard permit

access-list remotevpn_splitTunnelAcl standard permit VPN_Connection_Profile_0

access-list outside_1_cryptomap extended permit ip VPN_Connection_Profile_0

access-list outside_1_cryptomap extended permit ip VPN_Connection_Profile_0

pager lines 10

logging enable

logging timestamp

logging trap warnings

logging asdm informational

logging from-address

logging recipient-address level critical

logging host inside

logging ftp-bufferwrap

mtu Fiber 1500

mtu inside 1500

mtu inside-wlan 1500

mtu comcrap 1500

mtu management 1500

ip local pool SSLVPN mask

ip verify reverse-path interface Fiber

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (Fiber) 1 interface

global (comcrap) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

access-group outside_access_in in interface Fiber

route Fiber 1

route comcrap 10

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server AD protocol radius

aaa-server AD (inside) host server1

timeout 15



aaa-server AD (inside) host server2



aaa-server AD (inside) host server3



aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http management

http management

http inside

snmp-server host inside community

snmp-server host inside community udp-port 161

no snmp-server location

no snmp-server contact

snmp-server community

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface Fiber

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=c-pix-yay

crl configure

crypto ca certificate chain ASDM_TrustPoint0



crypto isakmp enable Fiber

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh inside

ssh comcr