cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
969
Views
0
Helpful
3
Replies

Cisco ASA same security traffic

Riju Kalarickal
Level 1
Level 1

I can't get the AirDMZ network to talk to inside network. What am I missing here?

interface GigabitEthernet0/0
speed 100
nameif Outside
security-level 0
ip address 12.157.178.130 255.255.255.128
ospf cost 10
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.9 255.255.240.0
ospf cost 10
!
interface GigabitEthernet0/2
nameif AirDMZ
security-level 100
ip address 192.168.3.9 255.255.255.0
ospf cost 10

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outbound_AirDMZ extended permit ip any any
access-list inside extended permit icmp any any
access-list inbound_AirDMZ extended deny tcp any any eq 445
access-list inbound_AirDMZ extended permit ip any any
global (Outside) 1 interface
global (AirDMZ) 1 interface
nat (Outside) 0 access-list natout
nat (Outside) 1 access-list outsidenat
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (AirDMZ) 1 192.168.3.0 255.255.255.0

static (inside,AirDMZ) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
access-group outside_acl in interface Outside
access-group inside_acl in interface inside
access-group inbound_AirDMZ in interface AirDMZ
access-group outbound_AirDMZ out interface AirDMZ

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

The following static statement is incorrect:

static (inside,AirDMZ) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

It should be changed to:

static (inside,AirDMZ) 10.1.1.0 10.1.1.0 netmask 255.255.240.0

"clear xlate" after the above changes, and AirDMZ should be able to communicate with the inside network.

Hope that helps.

It didn't help.

I do a packet trace, it stops here:-

NAT

match ip AirDMZ 192.168.3.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 1858, untranslate_hits = 0

RESULT - The packet is dropped.

Try the following:

1) Remove "nat (AirDMZ) 1 192.168.3.0 255.255.255.0"

2) clear xlate

3) Test the connection from AirDMZ towards inside

4) Readd "nat (AirDMZ) 1 192.168.3.0 255.255.255.0" for AirDMZ network to browse the Internet

What version of ASA are you running? Might be a bug if it's matching the dynamic NAT instead of the static, as static NAT should take precedence over dynamic NAT.

Also please share the latest of following output if it still doesn't work:

sh run nat

sh run global

sh run static

and all ACL that is assigned to the above show outputs. Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco