connecting two internal networks in un asa

Unanswered Question
Aug 20th, 2009


I have a ASA5510, with a segment in the interface inside but I need to configure other segment new and Both segments have to communicate, as I do ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
ivanguzman Fri, 08/21/2009 - 05:54

Hi Andrew,

I configure another interface on the ASA, the new interface must have a security level lower than the inside.?

how can I enable the new interface to communicate with the inside.?


hschaefers Fri, 08/21/2009 - 06:00


I am in the same situation. I am in need of getting a security levl 100 to comunicate with a 75 on diff interfaces.

Mine keeps erroring on the NAT rule stating that there isnt' any pool.

Can some one shed some light on the suggested approach for configuration so I can verify that the I have the correct configuration?

1.) I know the NAT rule needs to be on the higer seccurity.

2.) I know you need a Permit ACL on the lower interface to permit access inbound.

It can have the same security level if you want - depending on it's purpose, I generally give any other interfaces a lower security level, say 50.

What I then do - is make a NAT exempt from the inside to the new interface (this is bi-directional)

Once the NAT is working ok, I then write an ACL for any traffic that originates from the new interface to the inside.


hschaefers Fri, 08/21/2009 - 06:13


Do you put that exempt rule on the Higer security interface or make a seperate one for each lower interface?

generally what I do is:-

1) Create an inside to new interface ip access-list.

2) attache the acl to the nat (inside) 0 config

3) Create an new interface to inside ip access-list

4) attach the acl to the nat <> 0

Then let the traffic flow - in both directions, when you have no hits on the acl from the new interface to the inside - you know your inside NAT exampt rule is bi-directional (sometimes it does not work straight away)

Sometimes I leave them in there - especially, when I need to make the new interface part of a VPN - then the exmpt acl just gets expanded.


ivanguzman Fri, 08/21/2009 - 06:28

the configuration would be as follows is correct or I'm missing some parameter?

interface Ethernet0/1

nameif inside1

security-level 100

ip address

interface Ethernet0/2

nameif inside2

security-level 75

ip address

access-list ACL_IN2 extended permit ip 172.16.13

static (inside,inside2) netmask


static (inside,inside2) netmask

access-group ACL_IN in interface inside

access-group ACL_IN2 in interface inside2

that would be one way of doing it, I would

access-list no-nat1 permit ip

nat (inside1) 0 access-list no-nat1

access-list no-nat2 permit ip

nat (inside2) 0 access-list no-nat2

The above allows you to expand the nat-exemption the more interfaces you have.



This Discussion