Hi. We have an ASA5510 firewall and I have 2 inside interfaces (both 100 security) on different subnets, both use NAT to access the internet. I'm trying to enable traffic from one interface (192.168.1.0) to my websense server on the other (172.16.1.8) so websense displays it's blockpage message (currently when users on 192.168.1.0 access a restricted site they're getting either a 'page cannot be displayed' message or a 'Live Search' page).
I've tried adding the following commands but just cannot get it to work (not even ping).
Same-security-traffic permit inter-interface
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list Non-Opps-Orgs_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
nat (Non-Opps-Orgs) 0 access-list Non-Opps-Orgs_nat0_outbound
All devices use the firewall as their default gateway and there are no static routes on any on the computers.
Any ideas would be greatly appreciated.
You're seeing one of the subtleties of the "nat-control" command. Because you have a nat/global pair configured on the Non-Opps-Orgs interface to the outside, that's blocking the default functionality of the "no nat-control" feature for traffic to other interfaces, such as the inside interface. This means you either have to configure an explicit nat exemption between the Non-Opps-Orgs and Inside interfaces (in both directions), or just configure static identity NAT between them (in both directions). Personally, I prefer the old-school static identity NAT, since it's easy and obvious. For example, if you add these two commands to your config I think it'll work:
static (inside,Non-Opps-Orgs) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (Non-Opps-Orgs,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0