hmassertech
asked on
Can't pass traffic between interfaces with same security level on ASA 5510
I have configured ASA 5510 with outside interface and two inside interfaces for two different subnets, i have added the Same-security-traffic permit inter-interface and Same-security-traffic permit intra-interface but traffic doesn't flow between the two inside interfaces that have the same secirty level. I have done much research but can't figure it out. Please help. This is my configuration,
asdm image disk0:/asdm-508.bin
asdm location 192.168.50.48 255.255.255.240 outside
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name xxxxx.net
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
nameif DICOM
security-level 100
ip address 10.0.5.150 255.255.255.0
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.50.48 255.255.255.240
access-list remoteuser_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DICOM 1500
mtu management 1500
ip local pool remoteusers 192.168.50.50-192.168.50.60 mask 255.255.255.0
icmp permit any outside
icmp permit any inside
icmp permit any DICOM
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 20 interface
global (DICOM) 30 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DICOM) 10 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy remoteuser internal
group-policy remoteuser attributes
dns-server value 24.93.41.127 24.93.41.128
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteuser_splitTunnelAcl
webvpn
username mtech password V6B59GRyHeAuo8yI encrypted privilege 0
username mtech attributes
vpn-group-policy remoteuser
webvpn
http server enable
http 192.168.100.0 255.255.255.0 inside
http 10.0.5.0 255.255.255.0 DICOM
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group remoteuser type ipsec-ra
tunnel-group remoteuser general-attributes
address-pool remoteusers
default-group-policy remoteuser
tunnel-group remoteuser ipsec-attributes
pre-shared-key *
telnet 192.168.100.0 255.255.255.0 inside
telnet 10.0.5.0 255.255.255.0 DICOM
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.100.10-192.168.100.20 inside
dhcpd address 10.0.5.50-10.0.5.60 DICOM
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 24.93.41.127 24.93.41.128
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config inside
dhcpd enable inside
dhcpd enable DICOM
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:d3528671fd3962d40e9d657960a3fde8
: end
ASKER
I tried to change the global statements as recommended above but i can't still ping between internal networks, this is what the xlate is showing when i try to ping both ways:
ciscoasa# show xlate
7 in use, 33 most used
PAT Global 192.168.200.106(1064) Local 10.0.5.50(55410)
PAT Global 192.168.200.106(1063) Local 10.0.5.50(62255)
PAT Global 192.168.200.106(1062) Local 10.0.5.50(63064)
PAT Global 192.168.200.106(1061) Local 10.0.5.50(50038)
PAT Global 192.168.200.106(1060) Local 10.0.5.50(61956)
PAT Global 192.168.200.106(1) Local 10.0.5.50 ICMP id 1
PAT Global 10.0.5.150(1) Local 192.168.100.10 ICMP id 768
Any ideas? I am really pressed by time here.. :(
ciscoasa# show xlate
7 in use, 33 most used
PAT Global 192.168.200.106(1064) Local 10.0.5.50(55410)
PAT Global 192.168.200.106(1063) Local 10.0.5.50(62255)
PAT Global 192.168.200.106(1062) Local 10.0.5.50(63064)
PAT Global 192.168.200.106(1061) Local 10.0.5.50(50038)
PAT Global 192.168.200.106(1060) Local 10.0.5.50(61956)
PAT Global 192.168.200.106(1) Local 10.0.5.50 ICMP id 1
PAT Global 10.0.5.150(1) Local 192.168.100.10 ICMP id 768
Any ideas? I am really pressed by time here.. :(
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, You do nto need both of the following commands;
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
This is all you need
same-security-traffic permit inter-interface
harbor235 ;}
ASKER
Thanks a lot.
to translate between the networks and no NAT exemption either
Here, these Global rules wont work as there are no matching nat (intf_name) 20 ....
global (inside) 20 interface
global (DICOM) 30 interface
to have networks translated to the interfaces you could do this
global (inside) 10 interface
global (DICOM) 10 interface
Wht do you get when trying to reach another network and doing #show xlate to see NAT translations ?