Can't pass traffic between interfaces with same security level on ASA 5510

Posted on 2008-10-21
Last Modified: 2013-11-16
I  have configured ASA 5510 with outside interface and two inside interfaces for two different subnets, i have added the Same-security-traffic permit inter-interface and Same-security-traffic permit intra-interface but traffic doesn't flow between the two inside interfaces that have the same secirty level. I have done much research but can't figure it out. Please help. This is my configuration,
asdm image disk0:/asdm-508.bin
asdm location outside
no asdm history enable
: Saved
ASA Version 7.0(8) 
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp 
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 
interface Ethernet0/2
 nameif DICOM
 security-level 100
 ip address 
interface Management0/0
 nameif management
 security-level 0
 ip address 
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 
access-list remoteuser_splitTunnelAcl standard permit any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DICOM 1500
mtu management 1500
ip local pool remoteusers mask
icmp permit any outside
icmp permit any inside
icmp permit any DICOM
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 20 interface
global (DICOM) 30 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10
nat (DICOM) 10
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy remoteuser internal
group-policy remoteuser attributes
 dns-server value
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remoteuser_splitTunnelAcl
username mtech password V6B59GRyHeAuo8yI encrypted privilege 0
username mtech attributes
 vpn-group-policy remoteuser
http server enable
http inside
http DICOM
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group remoteuser type ipsec-ra
tunnel-group remoteuser general-attributes
 address-pool remoteusers
 default-group-policy remoteuser
tunnel-group remoteuser ipsec-attributes
 pre-shared-key *
telnet inside
telnet DICOM
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd address DICOM
dhcpd address management
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config inside
dhcpd enable inside
dhcpd enable DICOM
dhcpd enable management
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
service-policy global_policy global
: end

Open in new window

Question by:hmassertech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 22774606
I dont remember if NAT-control is on or off by default in ASA 7.0, if it is then  NAT enabled but no rules
to translate between the networks and no NAT exemption either
Here, these Global rules wont work as there are no matching nat (intf_name) 20 ....
global (inside) 20 interface
global (DICOM) 30 interface

to have networks translated to the interfaces you could do this
global (inside) 10  interface
global (DICOM) 10  interface

Wht do you get when trying to reach another network and doing  #show xlate  to see NAT translations ?

Author Comment

ID: 22776407
I tried to change the global statements as recommended above but i can't still ping between internal networks, this is what the xlate is showing when i try to ping both ways:

ciscoasa# show xlate
7 in use, 33 most used
PAT Global Local
PAT Global Local
PAT Global Local
PAT Global Local
PAT Global Local
PAT Global Local ICMP id 1
PAT Global Local ICMP id 768

Any ideas? I am really pressed by time here.. :(
LVL 32

Accepted Solution

harbor235 earned 500 total points
ID: 22776791

You NAT everything from both inside networks, you need a nonat rule that specifies that traffic from inside to dicom and from dicom to inside does not get NAT'd. Right now for the inside interface you do not nat traffic from the inside to the remote users address pools, thats good;

For inside
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound permit ip (add)

nat (dicom) 0 access-list dicom_nat0_outbound
access-list dicom_nat0_outbound permit ip

LVL 32

Expert Comment

ID: 22776894

Also, You do nto need both of the following commands;

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

This is all you need
same-security-traffic permit inter-interface

harbor235 ;}

Author Closing Comment

ID: 31508646
Thanks a lot.

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question