troubleshooting Question

Cisco ASA 5510 Inter-intra Subnet/VLAN Communication

Avatar of PMGIT
PMGIT asked on
RoutersHardware FirewallsCisco
8 Comments1 Solution1060 ViewsLast Modified:
I am trying to get two internal networks talking with an ASA5510. I can't access 192.100.7.0/24 from 192.100.8.0/24 & vice-versa. I thought the "same-security-traffic permit inter-interface & same-security-traffic permit intra-interface" was supposed to allow this but I'm obviously missing something. The network is flat and I'm only trying to ping from one subnet to the other.  I have the PC's in the .7 & .8 subnets physically connected to the same switch and pointed to each respective gateway - see relevant config below.

ASA Version 8.0(4)

interface Ethernet0/0
 speed 1000
 nameif OUTSIDE
 security-level 0
 ip address 200.200.200.254 255.255.255.0
 ospf cost 10
!
interface Ethernet0/1
 speed 1000
 nameif INSIDE
 security-level 100
 ip address 192.100.7.254 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2.100
 vlan 100
 nameif V1
 security-level 100
 ip address 192.100.8.254 255.255.255.0
!
interface Ethernet0/2.200
 vlan 200
 nameif V2
 security-level 100
 ip address 192.100.9.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address
 ospf cost 10
 management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns domain-lookup INSIDE
dns server-group DefaultDNS
 name-server MY DNS SERVER
 domain-name MY DOMAIN NAME

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_6
 network-object xxx.xxx.xxx
 network-object host xxx.xxx.xxx
access-list OUTSIDE_access_in extended permit object-group DM_INLINE_PROTOCOL
access-list OUTSIDE_access_in remark
access-list INSIDE_nat0_outbound remark
access-list INSIDE_nat0_outbound extended permit xxx.xxx.xxx
access-list INSIDE_nat0_outbound remark

nat-control
global (OUTSIDE) 101 200.200.200.253 netmask 255.255.255.0
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 101 0.0.0.0 0.0.0.0
nat (V1) 101 0.0.0.0 0.0.0.0

static (INSIDE,OUTSIDE) tcp xxx.xxx.xxx https INTERNAL SERVER https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp xxx.xxx.xxx https INTERNAL SERVER https netmask 255.255.255.255

static (INSIDE,OUTSIDE) REPLACED NAME  access-list policy_nat
access-group OUTSIDE_access_in in interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 200.200.200.1

more crypto & vpn transform-set stuff
ASKER CERTIFIED SOLUTION
PMGIT

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 8 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros