cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23235
Views
0
Helpful
7
Replies

ASA 5520 routing between interfaces

pronet_cisco
Level 1
Level 1

Hello,

I have two insternal interfaces that I have the security level set to 100 and didn't need to route between them until now.

At this time I need to route to a single host for MySQL port 3306 and I can not get it to work.

Can any one please help.

Gary.

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

You need static NAT between the 2 interfaces and also "same-security-traffic permit inter-interface" command.

For example:

Internal interface 1 is named "inside": 192.168.1.0/24

Internal interface 2 is named "inside-2": 192.168.5.0/24

static (inside,inside-2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

same-security-traffic permit inter-interface

The static translation is bidirectional, so you don't need to configure the reverse static statement.

Hope that helps.

I already have "same-security-traffic permit inter-interface"running.

All inside interfaces are communicating without any static NAT.

I want to remove "same-security-traffic permit inter-interface" so they don't communicate and then allow one IP from inside interface 3 to connect to 2 hosts on inside interface 1.

Is this possible to do?

Gary

If in1 and int3 are of same security level you will need the "same security" command, you can't avoid it.

If not then you can use ACLs and/or translations to go from int1 to int 3 and vice versa.

I hope it helps.

PK

It's not possible to use ACL's if you remove the same-security command. Traffic will be dropped before ACL checks and you'll get a drop in your log.

To make this work you'll need the command or change your security levels. :-)

So how can i leave the same security command in but then stop traffic between the two interfaces and only allow

port 3306 on 2 hosts for interface 1 from one host coming in from  interface 3.

Because at this time with same security command everything is routing to each other just fine. I don't want that.

Hope this is clear enough.

Thanks,

Gary

You an sue ACLs to allow only the traffic that you want.

"same seurity inter" should not be used to deny traffic.

ACLs are for that purpose.

I hope it helps.

PK

Pls. review both these links:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1061479

and

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wpxref77088

NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired. However, if you configure dynamic NAT when NAT control is enabled, then NAT is required. See Chapter 27, "Configuring NAT Control," for more information. Also, when you specify a group of IP addresses for dynamic NAT or PAT on a same security interface, then you must perform NAT on that group of addresses when they access any lower or same security level interface (even when NAT control is not enabled). Traffic identified for static NAT is not affected.

You want traffic to flow freely between all same security interfaces without access lists.

With that said, same security traffic will flow freely wtihout any nat or access-list.  If you want to restric this, then you need to change one interface's security level to something else and provide translation just for that one host appropriately. Once done, you can remove the same security command if you do not have any more same security interfaces.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: