• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1642
  • Last Modified:

asa 5510 how to allow traffic between subinterfaces

i have a asa 5510 and have created 2 subinterfaces e0/0.50 and e0/0.200.  both have the same security level. i have enabled "same-security-traffic permit intra-interface" to permit traffic in and out of the same interface. i have done this(inter-interface) with other asa5510 but they used distinct physical interfaces.

if i cant do it the same way as on physical interfaces, how do i get my 2 subinterfaces to talk to each other? ACLs?

i read that you cant route in and out of the same interface
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23683971.html?sfQueryTermInfo=1+10+30+5510+allow+asa+between+subinterfac+traffic

0
Netrinc
Asked:
Netrinc
  • 2
  • 2
2 Solutions
 
NetrincAuthor Commented:
before anyone asks, i will add that the switch (cisco 2960) that the asa interface is connected to is configured as a trunk to pass traffic to the firewall. one of the subnets on the subinterface is part of a site-to-site VPN and that is still working once i created the subinterfaces.

i am just having problems getting traffic to pass freely between the 2 subinterfaces.
0
 
predragpetrovicCommented:
hi,

this depends on your verion of ASA, but first thing is first create an access-list which will allow communication between those two subnets and create a NAT 0 rule for that access-list or create identity NAT for both cases.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1303313
0
 
lrmooreCommented:
>i am just having problems getting traffic to pass freely between the 2 subinterfaces.
Of course. Firewalls were designed to inspect/nat traffice between interfaces and not just route packets.
There are multiple ways to do this, but I prefer a simple static nat, so only 2 commands should be necesary:

same-security-traffic permit inter-interface
static (interface1,interface2) sub.net.one.0 sub.net.one.0 netmask 255.255.255.0

0
 
NetrincAuthor Commented:
thanks. i used the static nat and it works. i did try static nat before but apparently i suck at ASDM.

now if at a later time i would like to lower the security level on one of these subinterfaces, would the static nat still be sufficient?
0
 
lrmooreCommented:
If you change the security level, you will have to add an access-list on the lower security interface
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now