Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

no communication between same security interfaces

I cannot open shared network drive and ping between two interfaces with same security level.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan3

nameif inside_wlan

security-level 100

ip address 10.10.10.1 255.255.255.0

!

same-security-traffic permit inter-interface

access-list outside_access_in extended permit icmp any any echo-reply

access-list inside_access_in extended permit tcp object-group network_group_inside any object-group service_group_inside2otside_tcp

access-list inside_access_in extended permit udp object-group network_group_inside any object-group service_group_inside2outside_udp

access-list inside_access_in extended permit icmp any any

access-list inside_wlan_access_in extended permit tcp object-group network_group_inside_wlan any object-group service_group_inside_wlan2otside_tcp

access-list inside_wlan_access_in extended permit udp object-group network_group_inside_wlan any object-group service_group_inside_wlan2outside_udp

access-list inside_wlan_access_in extended permit icmp any any

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside_wlan) 1 10.10.10.0 255.255.255.0

static (inside,outside) tcp interface 4662 home 4662 netmask 255.255.255.255

static (inside,outside) udp interface 4672 home 4672 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group inside_wlan_access_in in interface inside_wlan

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: no communication between same security interfaces

I believe you need the following:

static (inside,inside_wlan) 192.168.1.0 192.168.1.0 net 255.255.255.0

Pls. enable logging:

loggin on

logging buffered 7

sh logg | i 192.168.1.x

When you ping the 10.10.10.x host from a 192.68.1.x host.

Here is the link for same security intra/inter:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wpxref77088

5 REPLIES
Cisco Employee

Re: no communication between same security interfaces

I believe you need the following:

static (inside,inside_wlan) 192.168.1.0 192.168.1.0 net 255.255.255.0

Pls. enable logging:

loggin on

logging buffered 7

sh logg | i 192.168.1.x

When you ping the 10.10.10.x host from a 192.68.1.x host.

Here is the link for same security intra/inter:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wpxref77088

New Member

Re: no communication between same security interfaces

Thank you for help.

After that I did

static (inside,inside_wlan) 192.168.1.0 192.168.1.0 net 255.255.255.0

I got this log from ASA 5505:

Oct 11 2009 22:58:37 ciscoasa : %ASA-6-302020: Built inbound ICMP connection for faddr home/0 gaddr 192.168.1.1/0 laddr 192.168.1.1/0

Oct 11 2009 22:58:37 ciscoasa : %ASA-6-302021: Teardown ICMP connection for faddr home/0 gaddr 192.168.1.1/0 laddr 192.168.1.1/0

And from Kiwi log viwer:

ciscoasa : %ASA-3-305005: No translation group found for icmp src inside:home dst inside_wlan:lp-mekael (type 8, code 0)

New Member

Re: no communication between same security interfaces

I added one more line and it began to work.

Can you explain me by short explanation why it works.

static (inside,inside_wlan) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (inside_wlan,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Cisco Employee

Re: no communication between same security interfaces

The static line is required because you have nat/global configured for those 192 and 10 networks.

Once you provide a nat/global then, the flow will require translation for any other flow between any other interfaces meaning NO NAT-CONTROL will not have any effect and it will be considered NAT-CONTROL. We just provided the identity translation that it needs.

That is all.

If you did not have the nat/global for both these networks then, the no nat-control in the configuration would have kicked in and there would not have been a need to add identity static to get this to work.

I hope this is clear. If not pls. let us know.

New Member

Re: no communication between same security interfaces

Thank you for your help !!!

373
Views
0
Helpful
5
Replies