I have an ASA 5505 with two internal VLANs - let's say 192.168.0.0/24 & 192.168.1.0/2 and an outside interface which is the internet gateway for both of the internal subnets. I can get on the net from each internal net but I can't figure out how to make them talk to each other. They're both configured with security level 100 and I want to enable all IP traffic between them. Any idea how to make this work?
Because you have the 'nat-control' command enabled and you have dynamic PAT on your inside and inside1 interfaces, there also needs to be NAT rule for the traffic between the inside and inside1 interfaces. Assuming you don't want to NAT the traffic between these two interfaces, I would recommend trying something like this:
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list inside1_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
nat (inside1) 0 access-list inside1_nat0_outbound
This will setup NAT 0 and allow traffic to flow in both directions. If you want to do dynamic PAT instead, just adjust your config accordingly--the point is you need to have NAT rules that match the traffic between these interfaces because of the 'nat-control' command and your existing dynamic PAT configuration.
From the documentation:
"Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface with NAT control enabled, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule. "
Hope that helps.