06-05-2008 10:24 AM - edited 03-11-2019 05:55 AM
Guys, need help to allow traffic between two interfaces that have the same security level. I have already enabled the "same-security-traffic permit inter-interface" command but still i cant ping my switch or server on the other vlan...
what else do i need to do to accomplish this task? ACL are on defaults as of now...
Solved! Go to Solution.
06-06-2008 04:52 AM
I have tried your three suggested solutions but to no avail. I have also tried the packet-tracer but had this error:
ASA# packet-tracer input inside icmp 172.19.20.19 8 0 172.19.21.21 detailed
packet-tracer input inside icmp 172.19.20.19 8 0 172.19.21.21 detailed
^
ERROR: % Invalid input detected at '^' marker.
I got this log for the ASA below:
3|Jun 06 2008 02:34:40|305005: No translation group found for icmp src inside:172.19.20.19 dst insidevoice:172.19.21.21 (type 8, code 0)
Please help...
appreciate all your help Farrukh :)
06-06-2008 05:15 AM
Hi Brian
Run "clear xlate" after applying NAT statements.
Please post your full sanitized config and let us see.
Regards
06-06-2008 05:17 AM
Hrm, are you running ASA 7.2.x or higher? packet-tracer is only supported on 7.2(1) and later?
Regards
Farrukh
06-06-2008 05:53 AM
the OP is running 7.0(7).
he needs to post a sanitized config at this point so we can see everythign that's going on.
06-06-2008 05:54 AM
ASA# sh run
: Saved
:
ASA Version 7.0(7)
!
hostname ASA
domain-name abc.com
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 123.123.123.2 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.19.20.40 255.255.255.0
!
interface Ethernet0/2
nameif insidevoice
security-level 100
ip address 172.19.21.40 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list outside_access_in extended permit icmp any any
access-list nonat extended permit ip 172.19.20.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.25.0.0 255.255.0.0
access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list nonat extended permit ip 172.19.20.0 255.255.255.0 192.0.0.0 255.255.255.0
access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.19.21.0 255.255.255.0
access-list to1 extended permit ip 172.19.20.0 255.255.255.0 172.25.0.0 255.255.0.0
access-list to2 extended permit ip 172.19.20.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list to3 extended permit ip 172.19.20.0 255.255.255.0 192.0.0.0 255.255.255.0
access-list to4 extended permit ip 172.19.20.0 255.255.255.0 172.19.200.0 255.255.255.0
access-list to5 extended permit ip 172.19.200.0 255.255.255.0 172.19.20.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu insidevoice 1500
ip local pool vpnip 172.19.200.10-172.19.200.250
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (insidevoice) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 123.123.123.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server VPNAuth protocol radius
aaa-server VPNAuth host 172.19.20.250
key xxxxx
group-policy ABC internal
group-policy ABC attributes
dns-server value 172.19.20.250
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ST
default-domain value ABC.local
webvpn
http server enable
http 0.0.0.0 0.0.0.0 outside
http 172.19.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.19.20.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect tftp
!
service-policy global_policy global
: end
ASA#
06-06-2008 06:02 AM
put a nat 0 statement on insidevoice using an ACL, which will match traffic going from insidevoice to inside.
and if you want to ping, either create ACL's to allow echo/echo reply, or add icmp inspection.
06-06-2008 06:09 AM
can you post the sample config to be added? so that i could try it out... thank you very much
06-06-2008 06:12 AM
access-list nat0_acl permit 172.19.21.0 255.255.255.0 172.19.20.0 255.255.255.0
nat (insidevoice) 0 access-list nat0_acl
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
06-06-2008 06:35 AM
got this error again:
ASA(config)# access-list nat0_acl permit 172.19.21.0 255.255.255.0 172.19.$
access-list nat0_acl permit 172.19.21.0 255.255.255.0 172.19.20.0 255.255.255.0
^
ERROR: % Invalid input detected at '^' marker.
sorry of being such a pain in the @$%#$^% :) thanks man
06-06-2008 06:36 AM
You need to use "permit ip" :)
Regards
Farrukh
06-06-2008 06:43 AM
woops..
i was just testing him..yeah that's it. it was a test.
06-06-2008 06:57 AM
I don't care if it was a test or not... the thing is that it's working hehehe
06-06-2008 06:55 AM
it is now working! THANK YOU VERY MUCH GUYS!
06-06-2008 07:10 AM
Here is what I think :)
If you have an exempt NAT statement applied to interface inside and contains source as inside and destination as dmz, this effects traffic originated from both inside and dmz. I mean once you apply correct exempt NAT to inside that will take care of bot inside->dmz and dmz->inside. You dont need one applied to dmz.
Then how did it resolve the issue? Here are my theories.
1) Brian was testing the connectivity with ping which is not a good way when it is a firewall device that sees ICMP a possible dos attack and denies by default. And brian's outside_access_in ACL which permits ICMP was not applied to outside interface with access-group command. ICMP inspection did the trick. But this theory can not explain the translation error logs
2) Brian was hitting CSCsd90140 or another one which prevented inside exempt nat to operate correctly. An exempt nat applied to dmz interface, which is actually not necessary under normal circumstances, did operate normally and did what inside exempt nat couldnt.
Any thoughts?
But glad that issue is resolved.
06-06-2008 07:15 AM
I posted this earlier:
By default, you do not need to do NAT between same-security level interfaces, even if nat-control is enabled.
however, you do need to configure nat rules if you define dynamic NAT for either of the same-security level interfaces.
that problem was the nat (insidevoice) 1 statement...which was needed..because of that, you need nat 0 statements on both itnerfaces. and yes, icmp is not good for testing, unless you've allowed it through the firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide