Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

can't traffic between same security level interfaces

Posted on 2013-01-05
4
Medium Priority
?
496 Views
Last Modified: 2013-02-03
hello dear experts,
i have installed asa5520 and his software version is 8.3(1).
there is 2 difference interfaces with same security level 100 (DMZ and inside).
and configured same-interface-traffic permit inter-interface
But i can't reach traffics between each other.
our asa's configure is below:

ASA# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname ASA
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.100.254 255.255.255.0
!
interface GigabitEthernet0/1
-----more------
!
interface GigabitEthernet0/2
------more------
!            
interface GigabitEthernet0/3
 nameif DMZ
 security-level 100
 ip address 172.29.0.254 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!

access-list DMZ_access_in extended permit ip any any

access-list inside_in extended permit ip any any

access-group inside_in in interface inside

access-group DMZ_access_in in interface DMZ
0
Comment
Question by:itsbm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 200 total points
ID: 38748146
Check if you have NAT/NAT exemptions configured between the two interfaces ... also, did you try running the packet tracer to see what the firewall is doing with the packets? Do a test in both directions and see whether/where it fails ...
0
 
LVL 22

Assisted Solution

by:eeRoot
eeRoot earned 200 total points
ID: 38753515
Can devices in the DMZ ping the DMZ default gateway address?  Does the log show any blocked connections if you try a constant ping from the DMZ to the inside network?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 200 total points
ID: 38753807
Like Garry said, do you have NAT setup (exemptions/static)? Also, a more complete (sanitized) config would be handy to determine what is wrong. Third, check the (ASDM) logs to see if anythings shows in there.
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 400 total points
ID: 38781784
Hi ,

I have been through the configuration of your ASA 5520.Could you plz try the below configuration on ASA for traffic flow from Inside to DMZ.

ASA(Config-t)#access-group 101 in interface DMZ (and check whether ICMP is enabled on ASA in order to flow traffic ).
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question