ASA interfaces

veena_kompal · ‎12-03-2008

Hi there..

There are 2 interfaces configured on ASA, where one is connected to 10.x.x.x and the other connected to 192.x.x.x ..the problem is there seems to be no communication between these two..any suggestions.

FYI: they hav the same security level and the command to same-security-traffic permit inter-interface but still doesnt work..

Thanks

John Blakley · ‎12-03-2008

Can you ping the interface from the ASA itself, or are you trying to ping from a device in 10.x.x.x to a device in 192.x.x.x?

If the latter, try this:

Say you have 192.168.1.0 in a DMZ and 10.0.0.0 on your inside

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

clear xlate

See if you can ping the device now.

HTH,

John

HTH, John *** Please rate all useful posts ***

veena_kompal · ‎12-03-2008

thanks John..

But why is this NAT command required though the interfaces are in the same security level and implicitly the traffic should be allowed between the 2 interfaces.

John Blakley · ‎12-03-2008

It shouldn't be required. Can you post your config?

HTH, John *** Please rate all useful posts ***

veena_kompal · ‎12-03-2008

please find the attached file..

John Blakley · ‎12-03-2008

I'm a little confused as to what you're trying to do. You have both vlan interfaces with the same security level, but you have only one of your ethernet ports in vlan2. Are you trying to not NAT between the interfaces at all, and make this a transparent firewall? You also have a global statement, which if you want to turn natting off, you need to remove. Your default gateway is .254 and it's on the inside of your network. Is this a proxy server? I've only seen same security levels between dmz and inside, but I've never seen it from out to in, so I may not be the best to answer how you have this configured.

HTH,

John

HTH, John *** Please rate all useful posts ***

veena_kompal · ‎12-03-2008

Hi John,

I have two networks 10.x.x.x and 192.x.x.x .The firewal is used between these two networks and the 10.x.x.x should be able to access the 192.x.x.x. Apart from this there is no other specifications/requirments..but I will have to establish communication between 10.x.x.x to 192.x.x.x

So any suggestions are welcome..

thanks

SOL10 · ‎12-03-2008

Veena

as far as IM aware ping is disabled on the interfaces by default, try this command

icmp permit network add interface inside

icmp permit network add interface dmz

Like John, Im confused as to you end goal, please care to elaborate

Regards

Sol

John Blakley · ‎12-03-2008

Try this:

1. Change the security level for vlan 2 to 0

2. Remove the global (inside) 1 interface command

After doing this, see if you can ping from the 10.x.x.x network to a device on the 192.x.x.x network. (Of course, it has to be a device in one of your ACLs.) You could remove the ACL from the inside interface just to test.

HTH,

John

HTH, John *** Please rate all useful posts ***

veena_kompal · ‎12-03-2008

John,

If I change the security-level of vlan 2 to 0 then it would be considered as lower level though these 2 networks are trusted ones with in the organistaion.

There is no dmz required..so basically its just that the firewall placed between two different internal networks..

John Blakley · ‎12-03-2008

You may need to enable nat to do what you want then. try this:

global (outside) 1 interface

nat (inside) 1 interface

static (inside,outside) 192.x.x.x 10.x.x.x netmask 255.255.255.0 <--whatever your mask is.

See if that helps, but don't change your security levels on any of the interfaces.

John

HTH, John *** Please rate all useful posts ***

veena_kompal · ‎12-04-2008

Hi John..

thanks for the response..

I did try to enter the above commands but I got error when I tried to configure the nat (inside)command..

Anyways..thanks for your help..