09-21-2011 01:34 PM - edited 03-07-2019 02:21 AM
I have the following problem: I'm programming an ASA 5510 which I have assigned a physical interface vlan, this device is a switch concectado and thence to a couple of more switches.
When you ping from a terminal equipment to the interface logic of the ASA in their respective vlan, there is connectivity. however when I ping in terminal equipment that are in different vlan no connection.
I can do. that I can check
Includes the configuration of the ASA:
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.100
description CONEXION VLAN1
vlan 100
nameif inside1
security-level 100
ip address 192.168.0.193 255.255.255.224
!
interface Ethernet0/1.200
description CONEXION VLAN2
vlan 200
nameif inside2
security-level 80
ip address 192.168.0.62 255.255.255.192
!
interface Ethernet0/1.300
description CONEXION VLAN3
vlan 300
nameif inside3
security-level 90
ip address 192.168.0.94 255.255.255.224
!
interface Ethernet0/1.400
description CONEXION VLAN4
vlan 400
nameif inside4
security-level 100
ip address 192.168.0.158 255.255.255.224
!
interface Ethernet0/1.500
description CONEXION VLAN5
vlan 500
nameif inside5
security-level 100
ip address 192.168.0.190 255.255.255.224
!
same-security-traffic permit inter-interface
thank for your help
Solved! Go to Solution.
09-22-2011 11:08 AM
You may need to enter the following command, since you have several interfaces with the same security level.
By default, interfaces with the same security level cannot communicate between each other.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
The last command I mentioned allows traffic to enter and exit the same interface, which by default it
not allowed. This is useful if you're doing a Hub-and-Spoke topology, where each of the spokes (other
same securit levl interfaces) need to communicate with each other.
09-22-2011 01:54 AM
Hi,
Have you enabled icmp inspection in global policy or configured ACLs for traffic from higher to lower and applied inbound on higher?
Regards.
Alain..
09-22-2011 10:42 AM
The security level in all subinterfaces put it in 100.
what may be happening. I did everything you recommended.
thanks
09-22-2011 11:08 AM
You may need to enter the following command, since you have several interfaces with the same security level.
By default, interfaces with the same security level cannot communicate between each other.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
The last command I mentioned allows traffic to enter and exit the same interface, which by default it
not allowed. This is useful if you're doing a Hub-and-Spoke topology, where each of the spokes (other
same securit levl interfaces) need to communicate with each other.
09-22-2011 12:24 PM
Thanks, my problem was solved with these instructions.
09-22-2011 12:25 PM
Hi,
do a packet tracer for icmp coming from one interface to another and post output.
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide