02-15-2008 12:24 AM - edited 03-11-2019 05:03 AM
Hello,
We just bought an ASA 5520 firewall. We configured two interfaces in different subnets. Because the 5520 is a router it must be possible two ping interfaces in different subnets. I cannot get it to work in our ASA 5520. Anybody knows how to configure this?
02-16-2008 04:26 PM
Can you provide more details on the interfaces configuration, are they trusted inside interfaces? 1st thing comes to mind is if the interfaces are configured with same security level and are to be trusted meaning you do not want acls between them, if this is the case try adding this statement.
same-security-traffic permit inter-interface
Rgds
Jorge
02-17-2008 04:47 AM
the ASA5520 is *not* a router. And it is *not* possible to ping an ASA interface other than the one which is closest to you.
02-17-2008 10:20 AM
Hi Steven, I disagree with you on " it is *not* possible to ping an ASA interface other than the one which is closest to you".
Perhaps I am missunderstanding it.
For instance, you may have two same security level interaces under two difference subnets and be able to ping accross each other including their respective physical interfaces in the case of implementing same-security-traffic permit inter-interface.
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167
02-18-2008 02:26 AM
Thank you very much for your input. I have configured the ASA with two interfaces. I have set the interfaces within the same trusted level (100). And I checked the radiobutton that the firewall can accept traffic through interfaces that have the same security level. The configuration of the interfaces is:
Interface 1:
IP: 192.168.1.1
Mask: 255.255.255.0
Interface 2:
IP: 172.16.1.1
Mask: 255.255.240.0
This is my test environment. I only configured the interfaces, not rules or anything like that. A ping command within the same subnet is possible but from one interface to the other is not possible. I want to create a DMZ with the ASA as frontend firewall and an ISA server as backend firewall. This means that the interfaces must communicate in order to send traffic from the internet to DMZ to LAN and the other way around.
02-18-2008 11:41 AM
Lets put aside for a minute pinging interfaces accross, do you have vlans for each of these networks configured on your inside switch? can a host from 192.168.1.x net freely ping another host on 172.16.1.x network and vice versa?
02-19-2008 05:17 AM
I haven't configured vlans. Is that a requirement to ping from one interface to the other? At the moment it is not possible to ping from one host in 192.168.1.x to a host on 172.16.1.x and vice versa. Thanks.
02-19-2008 08:12 PM
you need to separate the networks with respective VLANS.. where does your ASA interfaces currently connects to in respect to your inside interfaces.
e.g
ASA_firewall
Interface ethernet2-or-gigabit
nameif VLAN2
security-level 0
ip address 192.168.1.1 255.255.255.0
Interface ethernet3-or-gigabit
nameif VLAN3
security-level 0
ip address 172.16.1.1 255.255.240.0
same-security-traffic permit inter-interface
global (outside) 1 interface
nat(VLAN2) 1 192.168.1.0 255.255.255.0
nat(VLAN3) 1 172.16.1. 255.255.255.240
e.g on switch similar config
Switch:
vlan database
vtp transparent
vtp domain test_lab
vtp password cisco
vlan 2 name net_192.168.1.0/24
vlan 3 name net_172.16.1.0/28
interface fastethernet0/1
Description ASA_Ethernet2_Connection
switchport access vlan 2
interface fastethernet0/2
Description ASA_Ethernet3_Connection
switchport access vlan 3
interface fastethernet0/4
Description HOST_192.168.1.100
switchport access vlan 2
interface fastethernet0/5
Description HOST_172.16.1.10
switchport access vlan 3
with this simple config you should be able to ping/reach hosts without acls, if you cannot please look at asa logs to see what the problem could be, post results.
02-20-2008 05:43 AM
Thank you very much. I will try this configuration. I will let you know if this configuration has worked for me.
02-21-2008 09:18 AM
Hi, have your test being successfull let me know what the update is.
Rgds
Jorge
02-22-2008 07:03 AM
Hi,
Me and my colleague are gonna start monday with the initial installation. I will let you know somewhere next week if the configuration has worked. Thank you very much!
Regards
Martijn
02-22-2008 03:45 PM
Martijn, not problem we are here to help you in this issue , I'll keep my eyes opened.
Rgds
Jorge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: