ASA 5510 Not able to route traffic between 2 LAN interfaces
I need help to enable traffic between two physical ports on my Cisco ASA 5510. I created access rules and NAT but traffic doe not go from accounting interface to Inside. I am able to access internet from both interfaces. Can someone pin point me in the right direction since I am not an expert in Cisco but has to finish this by the end of the week.
Here is my configuration:
ASA Version 8.2(2) ! hostname Cisco domain-name xxx.com
names ! interface Ethernet0/0 description Outside nameif Outside security-level 0 ip address 22.214.171.124 255.255.240.0 ! interface Ethernet0/1 description Inside Network nameif Inside security-level 90 ip address 192.168.10.1 255.255.255.0 ! interface Ethernet0/2 description Accounting nameif Accounting security-level 100 ip address 126.96.36.199 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! ftp mode passive clock timezone EST -5 dns domain-lookup Outside dns server-group DefaultDNS name-server 188.8.131.52 domain-name xxx.com same-security-traffic permit inter-interface object-group service Port-10000 tcp port-object eq 10000 object-group service Port-8080 tcp port-object eq 8080 object-group service Port-8011 tcp port-object eq 8011 object-group service DM_INLINE_TCP_1 tcp group-object Port-8080 port-object eq www group-object Port-8011 object-group service DM_INLINE_TCP_2 tcp group-object Port-10000 port-object eq https port-object eq www object-group service rdp tcp port-object eq 3389 object-group service DM_INLINE_TCP_3 tcp group-object rdp port-object eq ftp object-group service DM_INLINE_TCP_4 tcp group-object Port-10000 port-object eq www port-object eq https port-object eq ssh object-group service DM_INLINE_TCP_5 tcp group-object Port-8011 group-object Port-8080 port-object eq www object-group service DM_INLINE_TCP_6 tcp group-object Port-10000 port-object eq www port-object eq https object-group service DM_INLINE_TCP_7 tcp group-object rdp port-object eq ftp access-list Outside_access_in extended permit tcp any host 184.108.40.206 object-group DM_INLINE_TCP_5 access-list Outside_access_in extended permit tcp any host 220.127.116.11 object-group DM_INLINE_TCP_6 access-list Outside_access_in extended permit tcp any host 18.104.22.168 object-group DM_INLINE_TCP_7 access-list Outside_access_in extended permit tcp any host 22.214.171.124 eq smtp
access-list Outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0 access-list CiscoIPsec_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
On an ASA, higher security level interfaces are always allowed, by default, to lower security levels, but not the other way around. So, if you want to keep this config, you would need an acl on the Inside interface to allow traffic to go from level 90 to 100:
access-list Inside permit ip any any
access-group Inside in interface Inside
The acl will permit the traffic into either interface (outside or Accounting). As long as you have your other rules set up correctly, this should resolve your issue...
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...