Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Cisco ASA same security traffic

I can't get the AirDMZ network to talk to inside network. What am I missing here?

interface GigabitEthernet0/0
speed 100
nameif Outside
security-level 0
ip address 12.157.178.130 255.255.255.128
ospf cost 10
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.9 255.255.240.0
ospf cost 10
!
interface GigabitEthernet0/2
nameif AirDMZ
security-level 100
ip address 192.168.3.9 255.255.255.0
ospf cost 10

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outbound_AirDMZ extended permit ip any any
access-list inside extended permit icmp any any
access-list inbound_AirDMZ extended deny tcp any any eq 445
access-list inbound_AirDMZ extended permit ip any any
global (Outside) 1 interface
global (AirDMZ) 1 interface
nat (Outside) 0 access-list natout
nat (Outside) 1 access-list outsidenat
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (AirDMZ) 1 192.168.3.0 255.255.255.0

static (inside,AirDMZ) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
access-group outside_acl in interface Outside
access-group inside_acl in interface inside
access-group inbound_AirDMZ in interface AirDMZ
access-group outbound_AirDMZ out interface AirDMZ

3 REPLIES
Cisco Employee

Re: Cisco ASA same security traffic

The following static statement is incorrect:

static (inside,AirDMZ) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

It should be changed to:

static (inside,AirDMZ) 10.1.1.0 10.1.1.0 netmask 255.255.240.0

"clear xlate" after the above changes, and AirDMZ should be able to communicate with the inside network.

Hope that helps.

New Member

Re: Cisco ASA same security traffic

It didn't help.

I do a packet trace, it stops here:-

NAT

match ip AirDMZ 192.168.3.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 1858, untranslate_hits = 0

RESULT - The packet is dropped.

Cisco Employee

Re: Cisco ASA same security traffic

Try the following:

1) Remove "nat (AirDMZ) 1 192.168.3.0 255.255.255.0"

2) clear xlate

3) Test the connection from AirDMZ towards inside

4) Readd "nat (AirDMZ) 1 192.168.3.0 255.255.255.0" for AirDMZ network to browse the Internet

What version of ASA are you running? Might be a bug if it's matching the dynamic NAT instead of the static, as static NAT should take precedence over dynamic NAT.

Also please share the latest of following output if it still doesn't work:

sh run nat

sh run global

sh run static

and all ACL that is assigned to the above show outputs. Thanks.

784
Views
0
Helpful
3
Replies
CreatePlease to create content