I configure another interface on the ASA, the new interface must have a security level lower than the inside.?
how can I enable the new interface to communicate with the inside.?
I am in the same situation. I am in need of getting a security levl 100 to comunicate with a 75 on diff interfaces.
Mine keeps erroring on the NAT rule stating that there isnt' any pool.
Can some one shed some light on the suggested approach for configuration so I can verify that the I have the correct configuration?
1.) I know the NAT rule needs to be on the higer seccurity.
2.) I know you need a Permit ACL on the lower interface to permit access inbound.
It can have the same security level if you want - depending on it's purpose, I generally give any other interfaces a lower security level, say 50.
What I then do - is make a NAT exempt from the inside to the new interface (this is bi-directional)
Once the NAT is working ok, I then write an ACL for any traffic that originates from the new interface to the inside.
Do you put that exempt rule on the Higer security interface or make a seperate one for each lower interface?
generally what I do is:-
1) Create an inside to new interface ip access-list.
2) attache the acl to the nat (inside) 0 config
3) Create an new interface to inside ip access-list
4) attach the acl to the nat <
Then let the traffic flow - in both directions, when you have no hits on the acl from the new interface to the inside - you know your inside NAT exampt rule is bi-directional (sometimes it does not work straight away)
Sometimes I leave them in there - especially, when I need to make the new interface part of a VPN - then the exmpt acl just gets expanded.
the configuration would be as follows is correct or I'm missing some parameter?
ip address 192.168.1.254 255.255.255.0
ip address 172.16.13.1 255.255.255.0
access-list ACL_IN2 extended permit ip 172.16.13 255.255.255.0 192.168.1.0 255.255.255.0
static (inside,inside2) 172.16.13.0 172.16.13.0 netmask 255.255.0.0
static (inside,inside2) 192.168.1.0 192.168.1.0 netmask 255.255.0.0
access-group ACL_IN in interface inside
access-group ACL_IN2 in interface inside2
that would be one way of doing it, I would
access-list no-nat1 permit ip 172.16.13.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside1) 0 access-list no-nat1
access-list no-nat2 permit ip 192.168.1.0 255.255.255.0 172.16.13.0 255.255.255.0
nat (inside2) 0 access-list no-nat2
The above allows you to expand the nat-exemption the more interfaces you have.
Yup, got it working after your previous post Andrew and the ACL is still functional as I need it to be. Its looking like its a cross between what your both talking about.
Awesome, thanks gang.