Solved

asa 5510 how to allow traffic between subinterfaces

Posted on 2011-03-23
5
1,528 Views
Last Modified: 2012-05-11
i have a asa 5510 and have created 2 subinterfaces e0/0.50 and e0/0.200.  both have the same security level. i have enabled "same-security-traffic permit intra-interface" to permit traffic in and out of the same interface. i have done this(inter-interface) with other asa5510 but they used distinct physical interfaces.

if i cant do it the same way as on physical interfaces, how do i get my 2 subinterfaces to talk to each other? ACLs?

i read that you cant route in and out of the same interface
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23683971.html?sfQueryTermInfo=1+10+30+5510+allow+asa+between+subinterfac+traffic

0
Comment
Question by:Netrinc
  • 2
  • 2
5 Comments
 
LVL 1

Author Comment

by:Netrinc
ID: 35200590
before anyone asks, i will add that the switch (cisco 2960) that the asa interface is connected to is configured as a trunk to pass traffic to the firewall. one of the subnets on the subinterface is part of a site-to-site VPN and that is still working once i created the subinterfaces.

i am just having problems getting traffic to pass freely between the 2 subinterfaces.
0
 
LVL 9

Assisted Solution

by:predragpetrovic
predragpetrovic earned 100 total points
ID: 35200620
hi,

this depends on your verion of ASA, but first thing is first create an access-list which will allow communication between those two subnets and create a NAT 0 rule for that access-list or create identity NAT for both cases.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1303313
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 35201134
>i am just having problems getting traffic to pass freely between the 2 subinterfaces.
Of course. Firewalls were designed to inspect/nat traffice between interfaces and not just route packets.
There are multiple ways to do this, but I prefer a simple static nat, so only 2 commands should be necesary:

same-security-traffic permit inter-interface
static (interface1,interface2) sub.net.one.0 sub.net.one.0 netmask 255.255.255.0

0
 
LVL 1

Author Comment

by:Netrinc
ID: 35202081
thanks. i used the static nat and it works. i did try static nat before but apparently i suck at ASDM.

now if at a later time i would like to lower the security level on one of these subinterfaces, would the static nat still be sufficient?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35202346
If you change the security level, you will have to add an access-list on the lower security interface
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
anyconnect password change 2 36
using BGP Attributes 2 89
Sonicwall guest user accounts 2 10
Issue with Cisco 4402 and 1142 LAPs 1 4
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question