ASA 5520 configuration

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
JORGE RODRIGUEZ Sat, 02/16/2008 - 16:26

Can you provide more details on the interfaces configuration, are they trusted inside interfaces? 1st thing comes to mind is if the interfaces are configured with same security level and are to be trusted meaning you do not want acls between them, if this is the case try adding this statement.

same-security-traffic permit inter-interface



srue Sun, 02/17/2008 - 04:47

the ASA5520 is *not* a router. And it is *not* possible to ping an ASA interface other than the one which is closest to you.

JORGE RODRIGUEZ Sun, 02/17/2008 - 10:20

Hi Steven, I disagree with you on " it is *not* possible to ping an ASA interface other than the one which is closest to you".

Perhaps I am missunderstanding it.

For instance, you may have two same security level interaces under two difference subnets and be able to ping accross each other including their respective physical interfaces in the case of implementing same-security-traffic permit inter-interface.

Thank you very much for your input. I have configured the ASA with two interfaces. I have set the interfaces within the same trusted level (100). And I checked the radiobutton that the firewall can accept traffic through interfaces that have the same security level. The configuration of the interfaces is:

Interface 1:



Interface 2:



This is my test environment. I only configured the interfaces, not rules or anything like that. A ping command within the same subnet is possible but from one interface to the other is not possible. I want to create a DMZ with the ASA as frontend firewall and an ISA server as backend firewall. This means that the interfaces must communicate in order to send traffic from the internet to DMZ to LAN and the other way around.

JORGE RODRIGUEZ Mon, 02/18/2008 - 11:41

Lets put aside for a minute pinging interfaces accross, do you have vlans for each of these networks configured on your inside switch? can a host from 192.168.1.x net freely ping another host on 172.16.1.x network and vice versa?

JORGE RODRIGUEZ Tue, 02/19/2008 - 20:12

you need to separate the networks with respective VLANS.. where does your ASA interfaces currently connects to in respect to your inside interfaces.



Interface ethernet2-or-gigabit

nameif VLAN2

security-level 0

ip address

Interface ethernet3-or-gigabit

nameif VLAN3

security-level 0

ip address

same-security-traffic permit inter-interface

global (outside) 1 interface

nat(VLAN2) 1

nat(VLAN3) 1 172.16.1.

e.g on switch similar config


vlan database

vtp transparent

vtp domain test_lab

vtp password cisco

vlan 2 name net_192.168.1.0/24

vlan 3 name net_172.16.1.0/28

interface fastethernet0/1

Description ASA_Ethernet2_Connection

switchport access vlan 2

interface fastethernet0/2

Description ASA_Ethernet3_Connection

switchport access vlan 3

interface fastethernet0/4

Description HOST_192.168.1.100

switchport access vlan 2

interface fastethernet0/5

Description HOST_172.16.1.10

switchport access vlan 3

with this simple config you should be able to ping/reach hosts without acls, if you cannot please look at asa logs to see what the problem could be, post results.

JORGE RODRIGUEZ Fri, 02/22/2008 - 15:45

Martijn, not problem we are here to help you in this issue , I'll keep my eyes opened.




This Discussion