Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
704
Views
0
Helpful
3
Replies

ASA5510 unable communication between eth0/1 and eth0/2

Go to solution
members1st
Level 1
Level 1

‎01-21-2010 02:53 PM - edited ‎03-11-2019 10:00 AM

I have seen some previous posts regarding this matter but the solution is not quite clear.  Here is my issue:


I have a ASA5510 that has the following configuration:

ethernet 0/0 outside security level 0
ethernet 0/1 inside security level 100      (192.168.2.0/24)
ethernet 0/2 private security level 100      (192.168.3.0/24)

same−security−traffic permit inter−interface

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.3.0 255.255.255.0
nat (Inside) 0 access-list nonat
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (private) 0 access-list nonat
nat (private) 1 0.0.0.0 0.0.0.0


The servers on both were able to access internet. However, they cannot talk to each other. When I ping between 2 sides, the firewall log showed:

portmap translation creation failed for icmp src Inside:192.168.2.151dst private:192.168.3.101(type 8, code 0)

I am not sure what do I miss. Can anyone help?

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-21-2010 07:49 PM

Your access-list appears incorrect.

Pls. change it to the following:

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

-KS

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-21-2010 07:49 PM

Your access-list appears incorrect.

Pls. change it to the following:

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

-KS

0 Helpful

Go to solution
members1st
Level 1
Level 1
In response to Kureli Sankar

‎01-22-2010 07:09 AM

After change the access-list and it works.

Thank you so much.

0 Helpful

Go to solution
vilaxmi
Cisco Employee
Cisco Employee

‎01-21-2010 08:05 PM

Hello,

I see that you are facing assymetric routing issue in your n/w.

Is the default gateway of users behind Private and inside ifc the ASA itself or do you have a layer 3 device like router ? If you have one. then let the router handle the inter subnet communication.

Should you not have any router, then you could try using TCP State Bypass mechanism in ASA (8.2(x) + only).

Please read more about tcp-state-bypass method to overcome assymetric routing issues:

http://cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html

HTH

Vijaya

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card