ASA configuration for internal routing

Unanswered Question
Jun 11th, 2008

Hi everyone,

I've got an ASA5510 ( which is the gateway for the internal network ( In addition, I've got an additional local network ( which I need to route my internal clients ( to. The local gateway for the network is, but my ASA device keeps dropping all connections to the network.

I've configured the ASA with the following options:

route inside

access-list inside-access-in extended permit ip any

access-list inside-access-in extended permit icmp any

access-group inside-access-in in interface inside

I've also got my standard NAT commands, which I don't think are necessary to post.

My question is how can I force the ASA appliance to forward packets to the network?

If any nat commands are required, please include them in your reply.

Many thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Where is this network terminating? On the ASA itself? If so you, and you don't want to NAT traffic between the two networks, you will need a 'nat 0' statement for those networks and the appropriate ACL's for traffic between those two interfaces both inbound and outbound.

What are the security levels on each of those interfaces?

Farrukh Haroon Wed, 06/11/2008 - 05:14

You need to add the "same-security-traffic permit intra-interface" command and you need to be running at least ASA 7.2.x for this to work. Also (if you have dynamic NAT configured) or "nat-control" enabled, some NAT rules might need changing like adding the following:

global (inside) 1 interface

Have a look at:



JORGE RODRIGUEZ Wed, 06/11/2008 - 05:47

It seems as though Chris's ASA5510 inside network or inside interface is based on his description, it looks as the is routed through by looking at the route statement which is probably an interface on a router having the network, if this is the case the is consider an inside network, but if this is not the case and the is another interface with same sec level Farrukh gave you the answer. Otherwise Chris could possibly provide ASA5510 interfaces configuration to understand a bit the topology.



cpartsenidis Wed, 06/11/2008 - 07:53

Many thanks for your replies guys.

Here's the situation:


All workstations on the LAN use as a gateway. I've also got a new network ( that's accessible via

I'd like the ASA to route to the network via

Even thought I've added all the necessary access lists on the inside interface of the 5510, to ensure packets are not dropped, they are still being denied.

Here's part of the configuration on the asa:

interface Ethernet0/1

nameif inside

security-level 100

ip address



access-list inside-access-in extended permit ip any

access-list inside-access-in extended permit icmp any



global (outside) 1

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

static (inside,outside) netmask

access-group outside_access_in in interface outside

access-group inside-access-in in interface inside

access-group dmz_access_in in interface dmz

route outside

route inside 1

I hope that helps.


Amadou TOURE Wed, 06/11/2008 - 08:12


Could you provide the inside_nat0_outbound access-list

You need to allow replies from in inside-access-in access-list or add a inspect icmp in your defaut policy-map for icmp stateful inspection.

Do you have logs for denied packets ?

Depending if nat-control is enabled or not, you'll need to add a the network in your inside_nat0_outbound access-list

cpartsenidis Wed, 06/11/2008 - 09:37

Farrukh ,

I'm offsite at the moment, but I think your suggested commands will fix the issue. I'll give it a try as soon as I can and update this post.

On another note, the ASA is running 7.0(7), but the command is available. Is that okay ?

Regarding the "nat (inside) 0 access-list inside_nat0_outbound", its only used for the VPN clients, so we can leave it as is.


Farrukh Haroon Wed, 06/11/2008 - 09:56

I'm afraid that will not be OK, the second line of the link I posted earlier reads:

"Software release 7.2 includes the capability to route clear text data in and out of the same interface. "

Before that this command was only applicable if ONE leg of the flow was encrypted (as in one side of the hair-pin).

You have to upgrade the software or redesign your network to change the user's default gateway to the router, or any other solution.



JORGE RODRIGUEZ Wed, 06/11/2008 - 10:19

Chris thanks for posting brief topology description this helps understand better.

I do not meant to contradict Farrukh post in any shape or form, but the topology is clear.

I do not believe same-security-traffic permit intra-interface applies in this scenario because is not on another interface in the firewall.

Since you have a [ROUTER] connected to the inside network as and behind that router you have network, this network is considered a trusted network hanging off the inside subnet by [ROUTER]-

There is no access lists required to allow to talk to 10.0.0/.24 but there are some routes that need to be taking place.

On your [ROUTER] you must have a route pointing to to in order for network to communicate to ASA5510 inside network.


ip route

if you need to have use internet access through asa5510 place a default route in [ROUTER].

ip route

for the ASA5510 :

you already have a route for

route inside , configure firewall to make it aware that is a trusted network and coming from inside interface.


asdm location inside

nat (inside) 1

Bst Rgds


Amadou TOURE Wed, 06/11/2008 - 10:28

Hi Jorge,

Keep in mind that by default with ASA, same traffic can't come in a interface and get out through the same interface.

So same-security-traffic intra-interface is relevant to authorized this in/out traffic flow through the inside interface


Farrukh Haroon Wed, 06/11/2008 - 10:33

Please don't confuse the "same-security-traffic intra-interface" with the 'inter-interface' command. In this scenario 'intra-interface' will be required IF the firewall is the default gateway of end hosts. I set this up for one customer, and since he was running 7.0.x at the time, I had to place a router behind the firewall. 7.2.x was not available or too new to be deployed in production back then.



JORGE RODRIGUEZ Wed, 06/11/2008 - 10:42

Amadou, thanks for the post,I still disagree.

If you look at same-security-traffic intra-interface effect is when you have two physical interfaces or subinterfaces on the same firewall with same security levels and need to allow traffic between them without the use of ACLs.

This is not the case, Chris has a [ROUTER] in the inside interface subnet, think of the router being a PC for sake of imagination that has for IP

Now if was on a different interface configured in the firewall with Sec level 0 as the inside interface then same sec traffic applies.



Amadou TOURE Wed, 06/11/2008 - 10:53

Hi jorge,

As Farrukh said, there're two different commands :

same-security-traffic permit inter-interface introduced in release 7.0(1) available when you have two different interfaces and same-security-traffic permit intra-interface introduced in release 7.2(1) which is applicable if you're using the same interface for in/out traffic

Please refer to the ASA command reference software version 7.2

Best regards

JORGE RODRIGUEZ Wed, 06/11/2008 - 11:23

I do appologize , same-secuirty-traffic permit inter-interface allows traffic between different interfaces that have same sec level, and intra-interface in/out traffic.

None of the two applies in Chris's scenario, I have simulated Chris's topology in our production LAB, One 3550 L3 switch two VLANs one for and for another VLAN, One ASA5505 inside interface as

Simple routing between the two devices without any intra or inter commands, routing between the two network by static routes, PAT and works as expected.

Even gave it public IP address of for RDP mapped to a test server on L3 3550 switch and works great.

BTW, don't care whoever rdps to pub IP this is isolated production LAB, and yes, I get all the cisco toys I ask for.



srue Wed, 06/11/2008 - 11:37

as others have stated, the OP needs to upgrade to 7.2(x) or later.

cpartsenidis Wed, 06/11/2008 - 14:13

The response to this thread has been great and I really appreciate the effort and time spent by everyone.

From what I conclude Jorge, according to your test, the scenario should work 'as is' without the need of additional commands.

However, Farrukh supports that the 'intra-interface' command for my situation is required.

Unfortunately, I haven't got access to the equipment right now so I can try it, but I do remember the scenario didn't work using the configuration I posted. If I remember correctly, the syslog messages mentioned my packets heading from the internal lan towards the network, were denied by the inside-access-in list:

access-list inside-access-in extended permit ip any

access-list inside-access-in extended permit icmp any

access-group inside-access-in in interface inside

All I was doing is trying to access a network share on a computer in the network.

Closing, quoting Farrukh's recommendation:

'please don't confuse the "same-security-traffic intra-interface" with the 'inter-interface' command. In this scenario 'intra-interface' will be required IF the firewall is the default gateway of end hosts' , Yes, all internal hosts do in fact have the ASA ( as their gateway.

I sometimes fail to see why such 'simple' routing requirements can sometimes become a big headache :)

Cheers guys,


This Discussion