Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

not able to communicate from inside to inside interface

Please look at the attached network diagram for your information. I added a command:

"same-security-traffic permit intra-interface" on the Internet FW, and I also force the traffic from internal firewall to 172.16.24.22 must pass through Internet FW by adding a route in the internal FW:

"route DMZ 172.16.24.22 255.255.255.255 172.16.24.3"

but this time I got the error message like this:"

%ASA-3-305006: portmap translation creation failed for tcp src inside:172.16.3.50/3925 dst inside:172.16.24.22/443"

and I did configured NAT and PAT on Internet FW, static NAt is used to translate the 172.16.24.22 into public IP and PAT is used to allow 172.16.3.0 to to able to access Internet:

global (outside) 1 2.x.x.41 netmask 255.255.255.224

global (outside) 2 2.x.x.42 netmask 255.255.255.224

nat (inside) 1 172.16.3.0 255.255.255.0

nat (inside) 2 172.16.2.0 255.255.255.0

static (inside,outside) 2.x.x.40 172.16.24.22 netmask 255.255.255.255

someone has the solution for this?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: not able to communicate from inside to inside interface

Actually I think I misunderstood your network, it should be:

global (inside) 1 172.16.24.200

Assuming you already have the same-security-traffic permit intra-interface, as stated in your email.

Regards

Farrukh

3 REPLIES

Re: not able to communicate from inside to inside interface

Put a global statement like this to allow inside users to access the DMZ server.

global (dmz) 1 172.16.24.200

This is just an example. Or use nat-exemption to bypass NAT for this traffic flow (From inside segement to DMZ).

Once you enable dynamic NAT/PAT the whole 'no nat-control' thing blows away (for that zone).

Regards

Farrukh

Re: not able to communicate from inside to inside interface

Put a global statement like this to allow inside users to access the DMZ server.

global (dmz) 1 172.16.24.200

This is just an example. Or use nat-exemption to bypass NAT for this traffic flow (From inside segement to DMZ).

Once you enable dynamic NAT/PAT the whole 'no nat-control' thing blows away (for that zone).

Regards

Farrukh

Re: not able to communicate from inside to inside interface

Actually I think I misunderstood your network, it should be:

global (inside) 1 172.16.24.200

Assuming you already have the same-security-traffic permit intra-interface, as stated in your email.

Regards

Farrukh

138
Views
0
Helpful
3
Replies
CreatePlease to create content