Can't pass traffic between interfaces with same security level on ASA 5510

Posted on 2008-10-21
Last Modified: 2013-11-16
I  have configured ASA 5510 with outside interface and two inside interfaces for two different subnets, i have added the Same-security-traffic permit inter-interface and Same-security-traffic permit intra-interface but traffic doesn't flow between the two inside interfaces that have the same secirty level. I have done much research but can't figure it out. Please help. This is my configuration,
asdm image disk0:/asdm-508.bin

asdm location outside

no asdm history enable

: Saved


ASA Version 7.0(8) 


hostname ciscoasa


enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted




interface Ethernet0/0

 nameif outside

 security-level 0

 ip address dhcp 


interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 


interface Ethernet0/2

 nameif DICOM

 security-level 100

 ip address 


interface Management0/0

 nameif management

 security-level 0

 ip address 



ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 

access-list remoteuser_splitTunnelAcl standard permit any 

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DICOM 1500

mtu management 1500

ip local pool remoteusers mask

icmp permit any outside

icmp permit any inside

icmp permit any DICOM

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

global (inside) 20 interface

global (DICOM) 30 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10

nat (DICOM) 10

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy remoteuser internal

group-policy remoteuser attributes

 dns-server value

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value remoteuser_splitTunnelAcl


username mtech password V6B59GRyHeAuo8yI encrypted privilege 0

username mtech attributes

 vpn-group-policy remoteuser


http server enable

http inside

http DICOM

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group remoteuser type ipsec-ra

tunnel-group remoteuser general-attributes

 address-pool remoteusers

 default-group-policy remoteuser

tunnel-group remoteuser ipsec-attributes

 pre-shared-key *

telnet inside

telnet DICOM

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd address DICOM

dhcpd address management

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd auto_config inside

dhcpd enable inside

dhcpd enable DICOM

dhcpd enable management


class-map inspection_default

 match default-inspection-traffic



policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 


service-policy global_policy global


: end

Open in new window

Question by:hmassertech
  • 2
  • 2

Expert Comment

ID: 22774606
I dont remember if NAT-control is on or off by default in ASA 7.0, if it is then  NAT enabled but no rules
to translate between the networks and no NAT exemption either
Here, these Global rules wont work as there are no matching nat (intf_name) 20 ....
global (inside) 20 interface
global (DICOM) 30 interface

to have networks translated to the interfaces you could do this
global (inside) 10  interface
global (DICOM) 10  interface

Wht do you get when trying to reach another network and doing  #show xlate  to see NAT translations ?

Author Comment

ID: 22776407
I tried to change the global statements as recommended above but i can't still ping between internal networks, this is what the xlate is showing when i try to ping both ways:

ciscoasa# show xlate
7 in use, 33 most used
PAT Global Local
PAT Global Local
PAT Global Local
PAT Global Local
PAT Global Local
PAT Global Local ICMP id 1
PAT Global Local ICMP id 768

Any ideas? I am really pressed by time here.. :(
LVL 32

Accepted Solution

harbor235 earned 500 total points
ID: 22776791

You NAT everything from both inside networks, you need a nonat rule that specifies that traffic from inside to dicom and from dicom to inside does not get NAT'd. Right now for the inside interface you do not nat traffic from the inside to the remote users address pools, thats good;

For inside
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound permit ip (add)

nat (dicom) 0 access-list dicom_nat0_outbound
access-list dicom_nat0_outbound permit ip

LVL 32

Expert Comment

ID: 22776894

Also, You do nto need both of the following commands;

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

This is all you need
same-security-traffic permit inter-interface

harbor235 ;}

Author Closing Comment

ID: 31508646
Thanks a lot.

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now