Solved

can't traffic between same security level interfaces

Posted on 2013-01-05
4
444 Views
Last Modified: 2013-02-03
hello dear experts,
i have installed asa5520 and his software version is 8.3(1).
there is 2 difference interfaces with same security level 100 (DMZ and inside).
and configured same-interface-traffic permit inter-interface
But i can't reach traffics between each other.
our asa's configure is below:

ASA# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname ASA
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.100.254 255.255.255.0
!
interface GigabitEthernet0/1
-----more------
!
interface GigabitEthernet0/2
------more------
!            
interface GigabitEthernet0/3
 nameif DMZ
 security-level 100
 ip address 172.29.0.254 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!

access-list DMZ_access_in extended permit ip any any

access-list inside_in extended permit ip any any

access-group inside_in in interface inside

access-group DMZ_access_in in interface DMZ
0
Comment
Question by:itsbm
4 Comments
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 100 total points
ID: 38748146
Check if you have NAT/NAT exemptions configured between the two interfaces ... also, did you try running the packet tracer to see what the firewall is doing with the packets? Do a test in both directions and see whether/where it fails ...
0
 
LVL 21

Assisted Solution

by:eeRoot
eeRoot earned 100 total points
ID: 38753515
Can devices in the DMZ ping the DMZ default gateway address?  Does the log show any blocked connections if you try a constant ping from the DMZ to the inside network?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 100 total points
ID: 38753807
Like Garry said, do you have NAT setup (exemptions/static)? Also, a more complete (sanitized) config would be handy to determine what is wrong. Third, check the (ASDM) logs to see if anythings shows in there.
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 200 total points
ID: 38781784
Hi ,

I have been through the configuration of your ASA 5520.Could you plz try the below configuration on ASA for traffic flow from Inside to DMZ.

ASA(Config-t)#access-group 101 in interface DMZ (and check whether ICMP is enabled on ASA in order to flow traffic ).
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now