Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

can't traffic between same security level interfaces

Posted on 2013-01-05
4
Medium Priority
?
500 Views
Last Modified: 2013-02-03
hello dear experts,
i have installed asa5520 and his software version is 8.3(1).
there is 2 difference interfaces with same security level 100 (DMZ and inside).
and configured same-interface-traffic permit inter-interface
But i can't reach traffics between each other.
our asa's configure is below:

ASA# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname ASA
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.100.254 255.255.255.0
!
interface GigabitEthernet0/1
-----more------
!
interface GigabitEthernet0/2
------more------
!            
interface GigabitEthernet0/3
 nameif DMZ
 security-level 100
 ip address 172.29.0.254 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!

access-list DMZ_access_in extended permit ip any any

access-list inside_in extended permit ip any any

access-group inside_in in interface inside

access-group DMZ_access_in in interface DMZ
0
Comment
Question by:itsbm
4 Comments
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 200 total points
ID: 38748146
Check if you have NAT/NAT exemptions configured between the two interfaces ... also, did you try running the packet tracer to see what the firewall is doing with the packets? Do a test in both directions and see whether/where it fails ...
0
 
LVL 22

Assisted Solution

by:eeRoot
eeRoot earned 200 total points
ID: 38753515
Can devices in the DMZ ping the DMZ default gateway address?  Does the log show any blocked connections if you try a constant ping from the DMZ to the inside network?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 200 total points
ID: 38753807
Like Garry said, do you have NAT setup (exemptions/static)? Also, a more complete (sanitized) config would be handy to determine what is wrong. Third, check the (ASDM) logs to see if anythings shows in there.
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 400 total points
ID: 38781784
Hi ,

I have been through the configuration of your ASA 5520.Could you plz try the below configuration on ASA for traffic flow from Inside to DMZ.

ASA(Config-t)#access-group 101 in interface DMZ (and check whether ICMP is enabled on ASA in order to flow traffic ).
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question