Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

Solved

can't traffic between same security level interfaces

Posted on 2013-01-05

4 solutions

Medium Priority

496 Views

Last Modified: 2013-02-03

hello dear experts,
i have installed asa5520 and his software version is 8.3(1).
there is 2 difference interfaces with same security level 100 (DMZ and inside).
and configured same-interface-traffic permit inter-interface
But i can't reach traffics between each other.
our asa's configure is below:

ASA# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname ASA
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
!
interface GigabitEthernet0/1
-----more------
!
interface GigabitEthernet0/2
------more------
!
interface GigabitEthernet0/3
nameif DMZ
security-level 100
ip address 172.29.0.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!

access-list DMZ_access_in extended permit ip any any

access-list inside_in extended permit ip any any

access-group inside_in in interface inside

access-group DMZ_access_in in interface DMZ

Comment

Question by:itsbm

[X]

Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

Help others & share knowledge
Earn cash & points
Learn & ask questions

Join The Community

4 Comments

LVL 18

Assisted Solution

by:Garry Glendown

Garry Glendown earned 200 total points

ID: 387481462013-01-06

Check if you have NAT/NAT exemptions configured between the two interfaces ... also, did you try running the packet tracer to see what the firewall is doing with the packets? Do a test in both directions and see whether/where it fails ...

LVL 22

Assisted Solution

by:eeRoot

eeRoot earned 200 total points

ID: 387535152013-01-07

Can devices in the DMZ ping the DMZ default gateway address? Does the log show any blocked connections if you try a constant ping from the DMZ to the inside network?

LVL 35

Assisted Solution

by:Ernie Beek

Ernie Beek earned 200 total points

ID: 387538072013-01-08

Like Garry said, do you have NAT setup (exemptions/static)? Also, a more complete (sanitized) config would be handy to determine what is wrong. Third, check the (ASDM) logs to see if anythings shows in there.

LVL 5

Accepted Solution

by:Feroz Ahmed

Feroz Ahmed earned 400 total points

ID: 387817842013-01-16

Hi ,

I have been through the configuration of your ASA 5520.Could you plz try the below configuration on ASA for traffic flow from Inside to DMZ.

ASA(Config-t)#access-group 101 in interface DMZ (and check whether ICMP is enabled on ASA in order to flow traffic ).

Featured Post

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cloud disaster recovery mistakes your organization might be making. (As appeared in Cloud Computing Magazine)

Article by: Concerto Cloud

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.

The Insider Threat: History and Defense

Article by: Alexandra

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.

NetCrunch network monitor live walk-through

Video by: AdRem

NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

How to view most utilized nodes in your network?

Video by: AdRem

Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…