We have a ASA 5520 (redundant) in our network which we are using for different customers. For every new customer we create a new VLAN and place their servers in this VLAN. On the ASA we create a new subinterface for every customer which is connected to the corresponding VLAN.
Most customers get a private ip-range (e.g. 192.168.x.x/24) on which they should configure their servers. Because most customers don't need to be to access eachothers server all VLAN interfaces have the same security-level of 50. I haven't enable the "same-security-traffic permit inter-interface" option, so traffic between those interfaces is blocked, as expected.
Some customers (e.g. customer A) need public webmail of smtp access to there servers. So we use both NAT and PAT to make that happen.
So, recently we've got a customer (customer B) who placed their webservers behind our ASA. Because we didn't want to use NAT statements all the time, we dediced to configure a public /29 subnet on their VLAN. Because the website on this customer's servers need to be visible for everybody, we've lowered the security-level of this VLAN interface to 40 (instead of 50) and applied some ACL's. So other customers (e.g. customer A) are also able to reach the websites of customer B. So everything is just working fine.
Now, customer A decided that they want to run their website on their own servers as well. So, I created a static PAT for TCP 80. So the website is accessible from the outside world. But.....customer B is not able to reach customer A's website on the translated address. So, I've created a second PAT (using the same public address) but this time to customer B's interface. But still, we're not able to reach customer A's website.
I've also enabled the "same-security-traffic permit intra-interface", but still the website is unreachable to customer B.
Then the main idea is that with nat-control on , the traffic from a higher security-level ( 40 ) to a lower security-level (30) must be SNAT ed. In other words the Customer B source must be changed in order to access Customer A server.
Let's check if my assumptions are the ones that generate the problem.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :