10-11-2009 02:43 PM - edited 03-11-2019 09:25 AM
I cannot open shared network drive and ping between two interfaces with same security level.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
nameif inside_wlan
security-level 100
ip address 10.10.10.1 255.255.255.0
!
same-security-traffic permit inter-interface
access-list outside_access_in extended permit icmp any any echo-reply
access-list inside_access_in extended permit tcp object-group network_group_inside any object-group service_group_inside2otside_tcp
access-list inside_access_in extended permit udp object-group network_group_inside any object-group service_group_inside2outside_udp
access-list inside_access_in extended permit icmp any any
access-list inside_wlan_access_in extended permit tcp object-group network_group_inside_wlan any object-group service_group_inside_wlan2otside_tcp
access-list inside_wlan_access_in extended permit udp object-group network_group_inside_wlan any object-group service_group_inside_wlan2outside_udp
access-list inside_wlan_access_in extended permit icmp any any
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside_wlan) 1 10.10.10.0 255.255.255.0
static (inside,outside) tcp interface 4662 home 4662 netmask 255.255.255.255
static (inside,outside) udp interface 4672 home 4672 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group inside_wlan_access_in in interface inside_wlan
Solved! Go to Solution.
10-11-2009 05:51 PM
I believe you need the following:
static (inside,inside_wlan) 192.168.1.0 192.168.1.0 net 255.255.255.0
Pls. enable logging:
loggin on
logging buffered 7
sh logg | i 192.168.1.x
When you ping the 10.10.10.x host from a 192.68.1.x host.
Here is the link for same security intra/inter:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wpxref77088
10-11-2009 05:51 PM
I believe you need the following:
static (inside,inside_wlan) 192.168.1.0 192.168.1.0 net 255.255.255.0
Pls. enable logging:
loggin on
logging buffered 7
sh logg | i 192.168.1.x
When you ping the 10.10.10.x host from a 192.68.1.x host.
Here is the link for same security intra/inter:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wpxref77088
10-11-2009 07:03 PM
Thank you for help.
After that I did
static (inside,inside_wlan) 192.168.1.0 192.168.1.0 net 255.255.255.0
I got this log from ASA 5505:
Oct 11 2009 22:58:37 ciscoasa : %ASA-6-302020: Built inbound ICMP connection for faddr home/0 gaddr 192.168.1.1/0 laddr 192.168.1.1/0
Oct 11 2009 22:58:37 ciscoasa : %ASA-6-302021: Teardown ICMP connection for faddr home/0 gaddr 192.168.1.1/0 laddr 192.168.1.1/0
And from Kiwi log viwer:
ciscoasa : %ASA-3-305005: No translation group found for icmp src inside:home dst inside_wlan:lp-mekael (type 8, code 0)
10-11-2009 07:15 PM
I added one more line and it began to work.
Can you explain me by short explanation why it works.
static (inside,inside_wlan) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside_wlan,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
10-12-2009 04:28 AM
The static line is required because you have nat/global configured for those 192 and 10 networks.
Once you provide a nat/global then, the flow will require translation for any other flow between any other interfaces meaning NO NAT-CONTROL will not have any effect and it will be considered NAT-CONTROL. We just provided the identity translation that it needs.
That is all.
If you did not have the nat/global for both these networks then, the no nat-control in the configuration would have kicked in and there would not have been a need to add identity static to get this to work.
I hope this is clear. If not pls. let us know.
10-12-2009 07:17 AM
Thank you for your help !!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: