Can't pass traffic between interfaces with same security level on ASA 5510

Posted on 2008-10-21
Medium Priority
Last Modified: 2013-11-16
I  have configured ASA 5510 with outside interface and two inside interfaces for two different subnets, i have added the Same-security-traffic permit inter-interface and Same-security-traffic permit intra-interface but traffic doesn't flow between the two inside interfaces that have the same secirty level. I have done much research but can't figure it out. Please help. This is my configuration,
asdm image disk0:/asdm-508.bin
asdm location outside
no asdm history enable
: Saved
ASA Version 7.0(8) 
hostname ciscoasa
domain-name xxxxx.net
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp 
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 
interface Ethernet0/2
 nameif DICOM
 security-level 100
 ip address 
interface Management0/0
 nameif management
 security-level 0
 ip address 
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 
access-list remoteuser_splitTunnelAcl standard permit any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DICOM 1500
mtu management 1500
ip local pool remoteusers mask
icmp permit any outside
icmp permit any inside
icmp permit any DICOM
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 20 interface
global (DICOM) 30 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10
nat (DICOM) 10
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy remoteuser internal
group-policy remoteuser attributes
 dns-server value
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remoteuser_splitTunnelAcl
username mtech password V6B59GRyHeAuo8yI encrypted privilege 0
username mtech attributes
 vpn-group-policy remoteuser
http server enable
http inside
http DICOM
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group remoteuser type ipsec-ra
tunnel-group remoteuser general-attributes
 address-pool remoteusers
 default-group-policy remoteuser
tunnel-group remoteuser ipsec-attributes
 pre-shared-key *
telnet inside
telnet DICOM
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd address DICOM
dhcpd address management
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config inside
dhcpd enable inside
dhcpd enable DICOM
dhcpd enable management
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
service-policy global_policy global
: end

Open in new window

Question by:hmassertech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 22774606
I dont remember if NAT-control is on or off by default in ASA 7.0, if it is then  NAT enabled but no rules
to translate between the networks and no NAT exemption either
Here, these Global rules wont work as there are no matching nat (intf_name) 20 ....
global (inside) 20 interface
global (DICOM) 30 interface

to have networks translated to the interfaces you could do this
global (inside) 10  interface
global (DICOM) 10  interface

Wht do you get when trying to reach another network and doing  #show xlate  to see NAT translations ?

Author Comment

ID: 22776407
I tried to change the global statements as recommended above but i can't still ping between internal networks, this is what the xlate is showing when i try to ping both ways:

ciscoasa# show xlate
7 in use, 33 most used
PAT Global Local
PAT Global Local
PAT Global Local
PAT Global Local
PAT Global Local
PAT Global Local ICMP id 1
PAT Global Local ICMP id 768

Any ideas? I am really pressed by time here.. :(
LVL 32

Accepted Solution

harbor235 earned 2000 total points
ID: 22776791

You NAT everything from both inside networks, you need a nonat rule that specifies that traffic from inside to dicom and from dicom to inside does not get NAT'd. Right now for the inside interface you do not nat traffic from the inside to the remote users address pools, thats good;

For inside
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound permit ip (add)

nat (dicom) 0 access-list dicom_nat0_outbound
access-list dicom_nat0_outbound permit ip

LVL 32

Expert Comment

ID: 22776894

Also, You do nto need both of the following commands;

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

This is all you need
same-security-traffic permit inter-interface

harbor235 ;}

Author Closing Comment

ID: 31508646
Thanks a lot.

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question