Cant pass traffic between interfaces with the same security

Answered Question
Dec 9th, 2008
User Badges:

Hi. We have an ASA5510 firewall and I have 2 inside interfaces (both 100 security) on different subnets, both use NAT to access the internet. I'm trying to enable traffic from one interface (192.168.1.0) to my websense server on the other (172.16.1.8) so websense displays it's blockpage message (currently when users on 192.168.1.0 access a restricted site they're getting either a 'page cannot be displayed' message or a 'Live Search' page).


I've tried adding the following commands but just cannot get it to work (not even ping).


Same-security-traffic permit inter-interface

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list Non-Opps-Orgs_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0

nat (Non-Opps-Orgs) 0 access-list Non-Opps-Orgs_nat0_outbound


All devices use the firewall as their default gateway and there are no static routes on any on the computers.


Any ideas would be greatly appreciated.


Rex



Attachment: 
Correct Answer by ddawson about 8 years 5 months ago

You're seeing one of the subtleties of the "nat-control" command. Because you have a nat/global pair configured on the Non-Opps-Orgs interface to the outside, that's blocking the default functionality of the "no nat-control" feature for traffic to other interfaces, such as the inside interface. This means you either have to configure an explicit nat exemption between the Non-Opps-Orgs and Inside interfaces (in both directions), or just configure static identity NAT between them (in both directions). Personally, I prefer the old-school static identity NAT, since it's easy and obvious. For example, if you add these two commands to your config I think it'll work:


static (inside,Non-Opps-Orgs) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (Non-Opps-Orgs,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
ddawson Wed, 12/10/2008 - 10:18
User Badges:
  • Bronze, 100 points or more

You're seeing one of the subtleties of the "nat-control" command. Because you have a nat/global pair configured on the Non-Opps-Orgs interface to the outside, that's blocking the default functionality of the "no nat-control" feature for traffic to other interfaces, such as the inside interface. This means you either have to configure an explicit nat exemption between the Non-Opps-Orgs and Inside interfaces (in both directions), or just configure static identity NAT between them (in both directions). Personally, I prefer the old-school static identity NAT, since it's easy and obvious. For example, if you add these two commands to your config I think it'll work:


static (inside,Non-Opps-Orgs) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (Non-Opps-Orgs,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0


Rex Biesty Tue, 12/16/2008 - 06:13
User Badges:

Thanks, that worked a treat. Just out of interest, would it be easy to restrict Non-Opps-Orgs to a particular IP and protocol on the inside network?

ddawson Tue, 12/16/2008 - 07:01
User Badges:
  • Bronze, 100 points or more

You could restrict IP addresses by only doing NAT for the address(es) you want to allow, but to restrict by individual ports you'd be better off using access-lists.

Rex Biesty Tue, 12/16/2008 - 07:22
User Badges:

Might be one to research in the new year but thanks for your help anyway, much appreciated.

whanson Sun, 12/21/2008 - 14:08
User Badges:

question about your answer. Once upon a time wasn't there a limit on how many net statics you could have defined? Let say you had 20 subnets each with 255 addresses?

ddawson Mon, 12/22/2008 - 09:49
User Badges:
  • Bronze, 100 points or more

There's never been a hard limit on the number of static commands you could configure, though there were (and still are) limits on how big your entire configuration could be. However, there did used to be more restrictions on statics that overlapped (they weren't allowed at all), but now you *can* have overlapping static commands and they are processed in order. For example, say you have a network static but want to map one of the addresses in the network to some other public address. This used to not be allowed, but now (as of 7.0) you can get the desired behavior as long as you configure the individual static command(s) before any more general network statics commands that would include the individual inside host(s).

ullasupendran Mon, 12/22/2008 - 11:25
User Badges:

Hi DANA


I have a query on the ablove question.If we add the following entry

"access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0" will it work?

look for ur valuable answer..


Ullas

ddawson Mon, 12/22/2008 - 12:50
User Badges:
  • Bronze, 100 points or more

Yes, that will work too, since the "nat 0 access-list" command *does* have the side effect of creating the necessary xlates for lower-to-higher traffic. Many people prefer this approach, but I still like the "old way" since it's usually fewer commands.

Actions

This Discussion