06-05-2008 10:24 AM - edited 03-11-2019 05:55 AM
Guys, need help to allow traffic between two interfaces that have the same security level. I have already enabled the "same-security-traffic permit inter-interface" command but still i cant ping my switch or server on the other vlan...
what else do i need to do to accomplish this task? ACL are on defaults as of now...
Solved! Go to Solution.
06-06-2008 06:12 AM
access-list nat0_acl permit 172.19.21.0 255.255.255.0 172.19.20.0 255.255.255.0
nat (insidevoice) 0 access-list nat0_acl
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
06-05-2008 11:12 AM
Which version are you running, is nat-control off or on?
show run nat-control
Regards
Farrukh
06-05-2008 11:18 AM
nat-control is not enabled and I am running 7.0 (7)
what could be missing?
06-05-2008 11:25 AM
Do you have any nat statements (dynamic or static) between those two interfaces?
06-05-2008 11:28 AM
Just run the packet-tracer command, it should tell you whats going wrong. If possible post the output here.
assuming you are going from inside1 to inside2
inside1 = 136.1.1.0 /25
inside2 = 136.1.2.0 /25
packet-tracer input inside1 tcp 136.1.1.3
11005 136.1.2.100 80 detailed
Regards
Farrukh
06-05-2008 11:39 AM
part of my config below:
interface Ethernet0/0
nameif outside
security-level 0
ip address 123.123.123.2 255.255.255.24
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.19.20.40 255.255.255.0
!
interface Ethernet0/2
nameif insidevoice
security-level 100
ip address 172.19.21.40 255.255.255.0
same-security-traffic permit inter-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_V1 extended permit icmp any 172.19.21.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (insidevoice) 1 0.0.0.0 0.0.0.0
access-group outside_access_in_V1 in interface outside
route outside 0.0.0.0 0.0.0.0 123.123.123.1 1
also, im confused because I cant seem to connect to the internet if I am on the insidevoice network.
Please help.
06-05-2008 11:48 AM
Can you also post the 'nonat' access-list?
Regards
Farrukh
06-05-2008 11:53 AM
access-list nonat extended permit ip 172.19.20.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.25.0.0 255.255.0.0
access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list nonat extended permit ip 172.19.20.0 255.255.255.0 192.0.0.0 255.255.255.0
access-list tozzz extended permit ip 172.19.20.0 255.255.255.0 172.25.0.0 255.255.0.0
access-list toxxx extended permit ip 172.19.20.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list toccc extended permit ip 172.19.20.0 255.255.255.0 192.0.0.0 255.255.255.0
access-list qw extended permit ip 172.19.20.0 255.255.255.0 172.19.200.0 255.255.255.0
access-list qw extended permit ip 172.19.200.0 255.255.255.0 172.19.20.0 255.255.255.0
access-list outside_access_in_V1 extended permit icmp any 172.19.21.0 255.255.255.0
06-05-2008 12:18 PM
Ok first of all, for 'inside' to communicate with 'insidevoice', you need to add the following line in your nonat ACL
access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.19.21.0 255.255.0.0
Or if you want to NAT/PAT this traffic, something like
global (insidevoice) 1 interface
Once you enable any sort of dynamic NAT / PAT, 'no nat-control' rule no longer applies for that zone, now all traffic between this zone and any other zone either requires NAT rules or NAT exemption.
As to why insidevoice cannot access Internet, please run the packet-tracer command I gave you before, it seems OK to me....
Regards
Farrukh
06-05-2008 12:29 PM
tried to add the suggested:
access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.19.21.0 255.255.255.0
but still I cant communicate with the other VLAN.
Appreciate all your help... any other suggestions?
06-05-2008 12:30 PM
yes. packet-tracer with the 'detailed' keyword:)
Also make sure you do a 'clear local-host' and 'clear xlate' after making any NAT changes.
Regards
Farrukh
06-06-2008 01:08 AM
anybody else has a suggestion?
06-06-2008 01:41 AM
I just ran some debugs and this was one of the things that caught my eye:
No translation group found for icmp src inside:172.19.20.19 dst insidevoice:172.19.21.21 (type 8, code 0)
what do i need to add on NAT to make sure 172.19.20.x can communicate to 172.19.21.x considering both have the same security level and that the "same-security-traffic permit inter-interface" is already enabled yet I can't communicate...
please advise..
06-06-2008 02:53 AM
As I mentioned before, you can use:
Ok first of all, for 'inside' to communicate with 'insidevoice', you need to add the following line in your nonat ACL
(NAT Exemption):
access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.19.21.0 255.255.255.0 (I gave wrong mask earlier)
Or if you want to NAT/PAT this traffic, something like
(Dynamic NAT):
global (insidevoice) 1 interface
You can also use:
(Identity Static)
static (inside,insidevoice) 172.19.20.0 172.19.20.0 netmask 255.255.255.0
Try any three, if one does not work for some reason (which is strange, try the other).
BTW, why don't you post packet-tracer output? You have something personal against the command? This is *THIRD TIME* I'm requesting you to do it......
packter-tracer input inside icmp 172.19.20.19 8 0 172.19.21.21 detailed
See even Cisco is using it, it won't hurt :)
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
Regards
Farrukh
06-06-2008 04:50 AM
Once you enable dynamic nat on one of those interfaces, it's as if the same-security traffic command wasn't even entered because of the nat. In your case, the ASA is behaving as expected.
By default, you do not need to do NAT between same-security level interfaces, even if nat-control is enabled.
however, you do need to configure nat rules if you define dynamic NAT for either of the same-security level interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide