Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1622
  • Last Modified:

asa 5510 how to allow traffic between subinterfaces

i have a asa 5510 and have created 2 subinterfaces e0/0.50 and e0/0.200.  both have the same security level. i have enabled "same-security-traffic permit intra-interface" to permit traffic in and out of the same interface. i have done this(inter-interface) with other asa5510 but they used distinct physical interfaces.

if i cant do it the same way as on physical interfaces, how do i get my 2 subinterfaces to talk to each other? ACLs?

i read that you cant route in and out of the same interface
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23683971.html?sfQueryTermInfo=1+10+30+5510+allow+asa+between+subinterfac+traffic

0
Netrinc
Asked:
Netrinc
  • 2
  • 2
2 Solutions
 
NetrincAuthor Commented:
before anyone asks, i will add that the switch (cisco 2960) that the asa interface is connected to is configured as a trunk to pass traffic to the firewall. one of the subnets on the subinterface is part of a site-to-site VPN and that is still working once i created the subinterfaces.

i am just having problems getting traffic to pass freely between the 2 subinterfaces.
0
 
predragpetrovicCommented:
hi,

this depends on your verion of ASA, but first thing is first create an access-list which will allow communication between those two subnets and create a NAT 0 rule for that access-list or create identity NAT for both cases.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1303313
0
 
lrmooreCommented:
>i am just having problems getting traffic to pass freely between the 2 subinterfaces.
Of course. Firewalls were designed to inspect/nat traffice between interfaces and not just route packets.
There are multiple ways to do this, but I prefer a simple static nat, so only 2 commands should be necesary:

same-security-traffic permit inter-interface
static (interface1,interface2) sub.net.one.0 sub.net.one.0 netmask 255.255.255.0

0
 
NetrincAuthor Commented:
thanks. i used the static nat and it works. i did try static nat before but apparently i suck at ASDM.

now if at a later time i would like to lower the security level on one of these subinterfaces, would the static nat still be sufficient?
0
 
lrmooreCommented:
If you change the security level, you will have to add an access-list on the lower security interface
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now