Solved

can't traffic between same security level interfaces

Posted on 2013-01-05

4 solutions

493 Views

Last Modified: 2013-02-03

hello dear experts,
i have installed asa5520 and his software version is 8.3(1).
there is 2 difference interfaces with same security level 100 (DMZ and inside).
and configured same-interface-traffic permit inter-interface
But i can't reach traffics between each other.
our asa's configure is below:

ASA# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname ASA
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
!
interface GigabitEthernet0/1
-----more------
!
interface GigabitEthernet0/2
------more------
!
interface GigabitEthernet0/3
nameif DMZ
security-level 100
ip address 172.29.0.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!

access-list DMZ_access_in extended permit ip any any

access-list inside_in extended permit ip any any

access-group inside_in in interface inside

access-group DMZ_access_in in interface DMZ

Comment

Question by:itsbm

[X]

Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

Help others & share knowledge
Earn cash & points
Learn & ask questions

Join The Community

4 Comments

LVL 18

Assisted Solution

by:Garry Glendown

Garry Glendown earned 100 total points

ID: 387481462013-01-06

Check if you have NAT/NAT exemptions configured between the two interfaces ... also, did you try running the packet tracer to see what the firewall is doing with the packets? Do a test in both directions and see whether/where it fails ...

LVL 22

Assisted Solution

by:eeRoot

eeRoot earned 100 total points

ID: 387535152013-01-07

Can devices in the DMZ ping the DMZ default gateway address? Does the log show any blocked connections if you try a constant ping from the DMZ to the inside network?

LVL 35

Assisted Solution

by:Ernie Beek

Ernie Beek earned 100 total points

ID: 387538072013-01-08

Like Garry said, do you have NAT setup (exemptions/static)? Also, a more complete (sanitized) config would be handy to determine what is wrong. Third, check the (ASDM) logs to see if anythings shows in there.

LVL 5

Accepted Solution

by:Feroz Ahmed

Feroz Ahmed earned 200 total points

ID: 387817842013-01-16

Hi ,

I have been through the configuration of your ASA 5520.Could you plz try the below configuration on ASA for traffic flow from Inside to DMZ.

ASA(Config-t)#access-group 101 in interface DMZ (and check whether ICMP is enabled on ASA in order to flow traffic ).

Featured Post

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do You Have Enough Bandwidth Available for All Your Tasks?

Article by: Kimberley

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.

Industrial Networking - Robots are the future

Article by: Rob

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.

Setup Mikrotik routers with OSPF… Part 2

Video by: Dirk

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

Network monitoring: why having a policy is the best policy?

Video by: AdRem

Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…