Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 & same security level

Hello,

Have ASA 5520.

Giga0/0 nameif outside, sec 0 - to internet

Giga0/1 nameif inside, sec 100 - to lan

Giga 0/2 namif wan, sec 100 - to branch offces router.

I've aplied command same-security-traffic permit inter-interface, but no result. Can't access from one to another interface with the same security level.

At asdm log apears next message: No route from lan_ip_addr to wan_ip_addr.

Could you help me to resolve this problem?

3 REPLIES

Re: ASA 5520 & same security level

After you add "same-security-traffic permit inter-interface", the next thing to do is to permit inside and wan to talk to each other. Example:

inside - 10.1.1.0/24

wan - 10.1.2.0/24

static (inside,wan) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

static (wan,inside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247c.html#wp1009571

HTH

AK

New Member

Re: ASA 5520 & same security level

Hi, thanks.. it works.. one more question

beside wan interface i have router with one int to ASA (10.1.2.x) and another to office (11.1.1.x).

From this router can ping lacal lan (10.1.1.0).

But then i ping with sourse int. 11.1.1.x - I cant ping lan. And at ASA logs apears: no route found from 11.1.1.x to 10.1.1.x

Re: ASA 5520 & same security level

In other words (correct me if I am wrong), the router has 2 FastE interfaces, one end connected to ASA and carry 10.1.2.x ip, while another FastE interface assigned with 11.1.1.x ip and connected to another 11.1.1.0 segment.

You can't ping it because your ASA does not recognised or can reach (route) 11.1.1.x.

On ASA:

a. Add static route to the router:

route wan 11.1.1.0 255.255.255.0 10.1.1.x

b. Permit icmp to wan interface from 11.1.1.x

icmp permit host 11.1.1.x any wan -or-

icmp permit 11.1.1.0 255.255.255.0 any wan

Optional:

On your router, if all access need to point back to ASA, then create default route to ASA (or add specific route):

ip route 0.0.0.0 0.0.0.0 10.1.2.y --> ASA wan interface IP

HTH. Pls rate all helpful posts.

AK

118
Views
9
Helpful
3
Replies