Solved

cisco asa5506 traffic between interfaces

Posted on 2016-08-27
9
44 Views
Last Modified: 2016-09-06
how do you allow interfaces on asa5506 to allow traffic?  i see a check mark there and also ensure the security levels are the same but i cant ping either subnett of each interfaces.

appreciate your time....

thanks,
0
Comment
Question by:mwauki
  • 4
  • 4
9 Comments
 
LVL 92

Expert Comment

by:John Hurst
ID: 41772891
Are the two machines together in the same office / area, or are they separated by the internet and in different locations. In the latter case, you would need to set up a VPN connection to connect the devices.
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 41772975
Each interface on a 5506 is routed and will have its own nameif with a security level.

You will create ACLs for the traffic inbound to the ASA for the permitted actions and deny all else for that subnet, then permit everything (rule order is important).

You may also need the "same-security-traffic permit inter-interface" or "same-security-traffic permit intra-interface".

If you can specific, we can help craft rules.
0
 

Author Comment

by:mwauki
ID: 41773282
thanks! ok, here it is:
asa5506, gigabit1/2 & 1/3,  on same unit.  
ips: g1/2=192.168.1.0/24  ,  g1/3=192.168.2.0/24

i'v ran "same-security-traffic permit intra-interface" and i can see that both interfaces are able to exchange traffic now.  however, when i created a vpn from this unit(siteA) to another unit (siteB), only devices on g1/2 gets a successful ping accross to siteB.  SiteB also gets a successful ping only to devices on g1/2.  

vpn (site-site): siteA g1/2 & g1/3 are under one networkobject as a network.

windows firewall is turned off on all involve stations.

please let me know if you need more info.

thanks,
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41773291
Does the ACL for the VPN include both subnets?

Are but subnets excluded from NAT?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:mwauki
ID: 41773684
isn't ACL auto created once the vpn is configured and online?  sorry, just trying to understand this...

i can see that my ACL has the default entries.  unless am looking at a wrong place... please advise.

thanks,
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41773841
You have to define somewhere the local and remote "interesting" subnets for encryption.

I don't use ASDM, so if that's what you're using, I won't be of much help.

If you post a sanitized configuration, that would give me somewhere to start.
0
 

Author Comment

by:mwauki
ID: 41774178
ok.  any specific part of the running config?  i can do a lil from the cli... would you be able to show me the cli command need to run for this particular ?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41774753
term pag 0
sh run

Then do an X.X for the first two octets of the public IP(s).  

Delete all line that contain: passwords, keys, usernames, logging, snmp, etc.

We're only interested in any detail that involves routing to include access lists.  So, if you're using objects and object-groups, I'll need that detail.  If you don't want it publicly published, sent it to my EE mailbox.  I'll look at it and respond back here.
0
 

Author Comment

by:mwauki
ID: 41775784
ok. sent it to your message box
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Router DMZ 5 63
Copy files flash files using tftp 6 31
what is the difference between Cisco catalyst 2960 and Cisco series SG300-52MP? 8 66
Gateway Resilience 4 49
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now