ASA interfaces

Unanswered Question
Dec 3rd, 2008
User Badges:

Hi there..


There are 2 interfaces configured on ASA, where one is connected to 10.x.x.x and the other connected to 192.x.x.x ..the problem is there seems to be no communication between these two..any suggestions.


FYI: they hav the same security level and the command to same-security-traffic permit inter-interface but still doesnt work..


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Wed, 12/03/2008 - 06:52
User Badges:
  • Purple, 4500 points or more

Can you ping the interface from the ASA itself, or are you trying to ping from a device in 10.x.x.x to a device in 192.x.x.x?


If the latter, try this:


Say you have 192.168.1.0 in a DMZ and 10.0.0.0 on your inside


static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0


clear xlate


See if you can ping the device now.


HTH,


John

veena_kompal Wed, 12/03/2008 - 07:35
User Badges:

thanks John..


But why is this NAT command required though the interfaces are in the same security level and implicitly the traffic should be allowed between the 2 interfaces.



John Blakley Wed, 12/03/2008 - 07:40
User Badges:
  • Purple, 4500 points or more

It shouldn't be required. Can you post your config?

John Blakley Wed, 12/03/2008 - 08:01
User Badges:
  • Purple, 4500 points or more

I'm a little confused as to what you're trying to do. You have both vlan interfaces with the same security level, but you have only one of your ethernet ports in vlan2. Are you trying to not NAT between the interfaces at all, and make this a transparent firewall? You also have a global statement, which if you want to turn natting off, you need to remove. Your default gateway is .254 and it's on the inside of your network. Is this a proxy server? I've only seen same security levels between dmz and inside, but I've never seen it from out to in, so I may not be the best to answer how you have this configured.


HTH,

John

veena_kompal Wed, 12/03/2008 - 08:10
User Badges:

Hi John,


I have two networks 10.x.x.x and 192.x.x.x .The firewal is used between these two networks and the 10.x.x.x should be able to access the 192.x.x.x. Apart from this there is no other specifications/requirments..but I will have to establish communication between 10.x.x.x to 192.x.x.x


So any suggestions are welcome..


thanks


solpandor Wed, 12/03/2008 - 08:11
User Badges:

Veena

as far as IM aware ping is disabled on the interfaces by default, try this command


icmp permit network add interface inside

icmp permit network add interface inside

icmp permit network add interface dmz

icmp permit network add interface dmz


Like John, Im confused as to you end goal, please care to elaborate


Regards


Sol


John Blakley Wed, 12/03/2008 - 08:16
User Badges:
  • Purple, 4500 points or more

Try this:


1. Change the security level for vlan 2 to 0

2. Remove the global (inside) 1 interface command


After doing this, see if you can ping from the 10.x.x.x network to a device on the 192.x.x.x network. (Of course, it has to be a device in one of your ACLs.) You could remove the ACL from the inside interface just to test.


HTH,


John

veena_kompal Wed, 12/03/2008 - 08:33
User Badges:

John,


If I change the security-level of vlan 2 to 0 then it would be considered as lower level though these 2 networks are trusted ones with in the organistaion.


There is no dmz required..so basically its just that the firewall placed between two different internal networks..



John Blakley Wed, 12/03/2008 - 08:49
User Badges:
  • Purple, 4500 points or more

You may need to enable nat to do what you want then. try this:


global (outside) 1 interface

nat (inside) 1 interface


static (inside,outside) 192.x.x.x 10.x.x.x netmask 255.255.255.0 <--whatever your mask is.


See if that helps, but don't change your security levels on any of the interfaces.


John

veena_kompal Thu, 12/04/2008 - 03:24
User Badges:

Hi John..


thanks for the response..


I did try to enter the above commands but I got error when I tried to configure the nat (inside)command..


Anyways..thanks for your help..



Actions

This Discussion