[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

asa 5510 how to allow traffic between subinterfaces

Posted on 2011-03-23
5
Medium Priority
?
1,592 Views
Last Modified: 2012-05-11
i have a asa 5510 and have created 2 subinterfaces e0/0.50 and e0/0.200.  both have the same security level. i have enabled "same-security-traffic permit intra-interface" to permit traffic in and out of the same interface. i have done this(inter-interface) with other asa5510 but they used distinct physical interfaces.

if i cant do it the same way as on physical interfaces, how do i get my 2 subinterfaces to talk to each other? ACLs?

i read that you cant route in and out of the same interface
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23683971.html?sfQueryTermInfo=1+10+30+5510+allow+asa+between+subinterfac+traffic

0
Comment
Question by:Netrinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 1

Author Comment

by:Netrinc
ID: 35200590
before anyone asks, i will add that the switch (cisco 2960) that the asa interface is connected to is configured as a trunk to pass traffic to the firewall. one of the subnets on the subinterface is part of a site-to-site VPN and that is still working once i created the subinterfaces.

i am just having problems getting traffic to pass freely between the 2 subinterfaces.
0
 
LVL 9

Assisted Solution

by:predragpetrovic
predragpetrovic earned 400 total points
ID: 35200620
hi,

this depends on your verion of ASA, but first thing is first create an access-list which will allow communication between those two subnets and create a NAT 0 rule for that access-list or create identity NAT for both cases.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1303313
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1600 total points
ID: 35201134
>i am just having problems getting traffic to pass freely between the 2 subinterfaces.
Of course. Firewalls were designed to inspect/nat traffice between interfaces and not just route packets.
There are multiple ways to do this, but I prefer a simple static nat, so only 2 commands should be necesary:

same-security-traffic permit inter-interface
static (interface1,interface2) sub.net.one.0 sub.net.one.0 netmask 255.255.255.0

0
 
LVL 1

Author Comment

by:Netrinc
ID: 35202081
thanks. i used the static nat and it works. i did try static nat before but apparently i suck at ASDM.

now if at a later time i would like to lower the security level on one of these subinterfaces, would the static nat still be sufficient?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35202346
If you change the security level, you will have to add an access-list on the lower security interface
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question