Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
615
Views
5
Helpful
11
Replies

Allow traffic to pass between 2 same security level interfaces

Go to solution
sbohannan
Level 1
Level 1

‎04-14-2008 09:03 AM - edited ‎03-11-2019 05:31 AM

i have configured my ASA 5510 with 2 same level security interfaces, i have "Same-security-Traffic permit inter-interface" enabled on the asa, but no traffic either interfaces is passing to the other interface. I know this is an Access list problem but i can not find any commands to allow all traffic to pass freely between the 2 interfaces.

Any help is greatly needed.

Thank you

Shane

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to sbohannan

‎04-14-2008 10:51 AM

You've already got

access-list inside_Nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.199.1.0 255.255.255.0

but what you are missing is...

nat (inside) 0 access-list inside_Nat0_outbound

That should work the same as that static command mentioned before.

The only other thing I see which may be an issue is whether or not the MCI interface will be able to route back to 172.16.0.0 via 192.199.1.254. You may have to do something other than nat exemption if that is the case. Something like...

no global (MCI) 100 interface

global (MCI) 101 interface

View solution in original post

11 Replies 11

Go to solution
acomiskey
Level 10
Level 10

‎04-14-2008 09:26 AM

Access lists are not required when using inter-interface.

Are you getting a "no translation group" error message?

0 Helpful

Go to solution
sbohannan
Level 1
Level 1
In response to acomiskey

‎04-14-2008 10:28 AM

Yes i am getting an no translation group error.

The exact error is -

No translation group found for icmp and for TCP.

I have worked with one of the TAC engineers and the command that he gives me to correct this error grinds the network to a stand still. (Static (interface1,interface2) 172.16.0.0 172.16.0.0 netmask 255.255.0.0) if i enter this command all traffic slowly stops on interface 1.

Shane

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to sbohannan

‎04-14-2008 10:34 AM

That should be correct if...

interface1 is 172.16.x.x.

Could you post a config?

0 Helpful

Go to solution
sbohannan
Level 1
Level 1
In response to acomiskey

‎04-14-2008 10:47 AM

I have attached copy of my config. i do not understand why it stops network traffic when i put that command in. I have watched the network stop. i did try the command friday afternoon the network seem to recover after about 10 Min but the funny part of it all was i could not connect to some of the 172.16.0.0/16 servers and my partner could but he could not connect to the internet and i could.

Maybe i have something amiss in the confige that i have not seen.

Shane

Preview file
8 KB
0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to sbohannan

‎04-14-2008 10:51 AM

You've already got

access-list inside_Nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.199.1.0 255.255.255.0

but what you are missing is...

nat (inside) 0 access-list inside_Nat0_outbound

That should work the same as that static command mentioned before.

The only other thing I see which may be an issue is whether or not the MCI interface will be able to route back to 172.16.0.0 via 192.199.1.254. You may have to do something other than nat exemption if that is the case. Something like...

no global (MCI) 100 interface

global (MCI) 101 interface

Go to solution
sbohannan
Level 1
Level 1
In response to acomiskey

‎04-14-2008 11:04 AM

Ok i have entered that command that you just told me and so far i have not had any problems.

Looking at the access-list that you told me about the next line as the same command but the interfaces are reversed. do i need to have this command entered as well?

"nat (mci) 0 access-list mci_nat0_outbound

Shane

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to sbohannan

‎04-14-2008 11:10 AM

I believe when you use "nat 0" with an access-list it is bidirectional. So adding the second command would technically be a duplication.

0 Helpful

Go to solution
sbohannan
Level 1
Level 1
In response to acomiskey

‎04-14-2008 11:14 AM

from a computer on the 172.16.0.0/16 subnet i get the same error as i was before i put the command in that started traffic from the 192.199.1.0/24 subnet.

Shane

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to sbohannan

‎04-14-2008 11:17 AM

Let me see if I've got this right...

192.199.1.0 to 172.16.0.0 is working?

172.16.0.0 to 192.199.1.0 is not working?

0 Helpful

Go to solution
sbohannan
Level 1
Level 1
In response to sbohannan

‎04-14-2008 11:19 AM

i did enter "nat (mci) 0 access-list mci_nat0_outbound" because they are running on different interfaces. it seems that all traffic is running as it should now.

Thank you so very much for your help.

Shane

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to sbohannan

‎04-14-2008 11:22 AM

Good deal. I guess the nat 0 is bidirectional only when using an access-list AND security levels are different. Thanks for teaching me something. Thanks for the rating.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card