Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Allow traffic to pass between 2 same security level interfaces

i have configured my ASA 5510 with 2 same level security interfaces, i have "Same-security-Traffic permit inter-interface" enabled on the asa, but no traffic either interfaces is passing to the other interface. I know this is an Access list problem but i can not find any commands to allow all traffic to pass freely between the 2 interfaces.

Any help is greatly needed.

Thank you

Shane

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Allow traffic to pass between 2 same security level interfac

You've already got

access-list inside_Nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.199.1.0 255.255.255.0

but what you are missing is...

nat (inside) 0 access-list inside_Nat0_outbound

That should work the same as that static command mentioned before.

The only other thing I see which may be an issue is whether or not the MCI interface will be able to route back to 172.16.0.0 via 192.199.1.254. You may have to do something other than nat exemption if that is the case. Something like...

no global (MCI) 100 interface

global (MCI) 101 interface

11 REPLIES
Green

Re: Allow traffic to pass between 2 same security level interfac

Access lists are not required when using inter-interface.

Are you getting a "no translation group" error message?

Community Member

Re: Allow traffic to pass between 2 same security level interfac

Yes i am getting an no translation group error.

The exact error is -

No translation group found for icmp and for TCP.

I have worked with one of the TAC engineers and the command that he gives me to correct this error grinds the network to a stand still. (Static (interface1,interface2) 172.16.0.0 172.16.0.0 netmask 255.255.0.0) if i enter this command all traffic slowly stops on interface 1.

Shane

Green

Re: Allow traffic to pass between 2 same security level interfac

That should be correct if...

interface1 is 172.16.x.x.

Could you post a config?

Community Member

Re: Allow traffic to pass between 2 same security level interfac

I have attached copy of my config. i do not understand why it stops network traffic when i put that command in. I have watched the network stop. i did try the command friday afternoon the network seem to recover after about 10 Min but the funny part of it all was i could not connect to some of the 172.16.0.0/16 servers and my partner could but he could not connect to the internet and i could.

Maybe i have something amiss in the confige that i have not seen.

Shane

Green

Re: Allow traffic to pass between 2 same security level interfac

You've already got

access-list inside_Nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.199.1.0 255.255.255.0

but what you are missing is...

nat (inside) 0 access-list inside_Nat0_outbound

That should work the same as that static command mentioned before.

The only other thing I see which may be an issue is whether or not the MCI interface will be able to route back to 172.16.0.0 via 192.199.1.254. You may have to do something other than nat exemption if that is the case. Something like...

no global (MCI) 100 interface

global (MCI) 101 interface

Community Member

Re: Allow traffic to pass between 2 same security level interfac

Ok i have entered that command that you just told me and so far i have not had any problems.

Looking at the access-list that you told me about the next line as the same command but the interfaces are reversed. do i need to have this command entered as well?

"nat (mci) 0 access-list mci_nat0_outbound

Shane

Green

Re: Allow traffic to pass between 2 same security level interfac

I believe when you use "nat 0" with an access-list it is bidirectional. So adding the second command would technically be a duplication.

Community Member

Re: Allow traffic to pass between 2 same security level interfac

from a computer on the 172.16.0.0/16 subnet i get the same error as i was before i put the command in that started traffic from the 192.199.1.0/24 subnet.

Shane

Green

Re: Allow traffic to pass between 2 same security level interfac

Let me see if I've got this right...

192.199.1.0 to 172.16.0.0 is working?

172.16.0.0 to 192.199.1.0 is not working?

Community Member

Re: Allow traffic to pass between 2 same security level interfac

i did enter "nat (mci) 0 access-list mci_nat0_outbound" because they are running on different interfaces. it seems that all traffic is running as it should now.

Thank you so very much for your help.

Shane

Green

Re: Allow traffic to pass between 2 same security level interfac

Good deal. I guess the nat 0 is bidirectional only when using an access-list AND security levels are different. Thanks for teaching me something. Thanks for the rating.

205
Views
5
Helpful
11
Replies
CreatePlease to create content