Solved

asa 5510 how to allow traffic between subinterfaces

Posted on 2011-03-23
5
1,561 Views
Last Modified: 2012-05-11
i have a asa 5510 and have created 2 subinterfaces e0/0.50 and e0/0.200.  both have the same security level. i have enabled "same-security-traffic permit intra-interface" to permit traffic in and out of the same interface. i have done this(inter-interface) with other asa5510 but they used distinct physical interfaces.

if i cant do it the same way as on physical interfaces, how do i get my 2 subinterfaces to talk to each other? ACLs?

i read that you cant route in and out of the same interface
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23683971.html?sfQueryTermInfo=1+10+30+5510+allow+asa+between+subinterfac+traffic

0
Comment
Question by:Netrinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 1

Author Comment

by:Netrinc
ID: 35200590
before anyone asks, i will add that the switch (cisco 2960) that the asa interface is connected to is configured as a trunk to pass traffic to the firewall. one of the subnets on the subinterface is part of a site-to-site VPN and that is still working once i created the subinterfaces.

i am just having problems getting traffic to pass freely between the 2 subinterfaces.
0
 
LVL 9

Assisted Solution

by:predragpetrovic
predragpetrovic earned 100 total points
ID: 35200620
hi,

this depends on your verion of ASA, but first thing is first create an access-list which will allow communication between those two subnets and create a NAT 0 rule for that access-list or create identity NAT for both cases.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1303313
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 35201134
>i am just having problems getting traffic to pass freely between the 2 subinterfaces.
Of course. Firewalls were designed to inspect/nat traffice between interfaces and not just route packets.
There are multiple ways to do this, but I prefer a simple static nat, so only 2 commands should be necesary:

same-security-traffic permit inter-interface
static (interface1,interface2) sub.net.one.0 sub.net.one.0 netmask 255.255.255.0

0
 
LVL 1

Author Comment

by:Netrinc
ID: 35202081
thanks. i used the static nat and it works. i did try static nat before but apparently i suck at ASDM.

now if at a later time i would like to lower the security level on one of these subinterfaces, would the static nat still be sufficient?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35202346
If you change the security level, you will have to add an access-list on the lower security interface
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question