12-03-2008 04:11 AM - edited 03-11-2019 07:20 AM
Hi there..
There are 2 interfaces configured on ASA, where one is connected to 10.x.x.x and the other connected to 192.x.x.x ..the problem is there seems to be no communication between these two..any suggestions.
FYI: they hav the same security level and the command to same-security-traffic permit inter-interface but still doesnt work..
Thanks
12-03-2008 06:52 AM
Can you ping the interface from the ASA itself, or are you trying to ping from a device in 10.x.x.x to a device in 192.x.x.x?
If the latter, try this:
Say you have 192.168.1.0 in a DMZ and 10.0.0.0 on your inside
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
clear xlate
See if you can ping the device now.
HTH,
John
12-03-2008 07:35 AM
thanks John..
But why is this NAT command required though the interfaces are in the same security level and implicitly the traffic should be allowed between the 2 interfaces.
12-03-2008 07:40 AM
It shouldn't be required. Can you post your config?
12-03-2008 07:51 AM
12-03-2008 08:01 AM
I'm a little confused as to what you're trying to do. You have both vlan interfaces with the same security level, but you have only one of your ethernet ports in vlan2. Are you trying to not NAT between the interfaces at all, and make this a transparent firewall? You also have a global statement, which if you want to turn natting off, you need to remove. Your default gateway is .254 and it's on the inside of your network. Is this a proxy server? I've only seen same security levels between dmz and inside, but I've never seen it from out to in, so I may not be the best to answer how you have this configured.
HTH,
John
12-03-2008 08:10 AM
Hi John,
I have two networks 10.x.x.x and 192.x.x.x .The firewal is used between these two networks and the 10.x.x.x should be able to access the 192.x.x.x. Apart from this there is no other specifications/requirments..but I will have to establish communication between 10.x.x.x to 192.x.x.x
So any suggestions are welcome..
thanks
12-03-2008 08:11 AM
Veena
as far as IM aware ping is disabled on the interfaces by default, try this command
icmp permit network add interface inside
icmp permit network add interface inside
icmp permit network add interface dmz
icmp permit network add interface dmz
Like John, Im confused as to you end goal, please care to elaborate
Regards
Sol
12-03-2008 08:16 AM
Try this:
1. Change the security level for vlan 2 to 0
2. Remove the global (inside) 1 interface command
After doing this, see if you can ping from the 10.x.x.x network to a device on the 192.x.x.x network. (Of course, it has to be a device in one of your ACLs.) You could remove the ACL from the inside interface just to test.
HTH,
John
12-03-2008 08:33 AM
John,
If I change the security-level of vlan 2 to 0 then it would be considered as lower level though these 2 networks are trusted ones with in the organistaion.
There is no dmz required..so basically its just that the firewall placed between two different internal networks..
12-03-2008 08:49 AM
You may need to enable nat to do what you want then. try this:
global (outside) 1 interface
nat (inside) 1 interface
static (inside,outside) 192.x.x.x 10.x.x.x netmask 255.255.255.0 <--whatever your mask is.
See if that helps, but don't change your security levels on any of the interfaces.
John
12-04-2008 03:24 AM
Hi John..
thanks for the response..
I did try to enter the above commands but I got error when I tried to configure the nat (inside)command..
Anyways..thanks for your help..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide