Problem communicating between same security interfaces on a Cisco ASA5516

Hello everyone,


I have a Cisco ASA 5516 with two inside interfaces. One is for customer LAN and another is for a few branch offices connected via a router that is connected to the 2nd Inside interface (All those offices are in the same building connected by a FO backbone. Customer is going to replace an old ASA 5510 where almost the same config already works.  

LAN network is 192.168.0.0/24 connected to 1/3 on ASA

Branch Offices are connected to 192.168.2.0/24 connected to 1/4 on ASA
 
I want to be able to ping and have unrestricted traffic between them.

Currently I have a laptop connected to int 1/3 and another one connected to Int 1/4 but no ping.

Someone please help!

Here's the configuration

ASA Version 9.8(2)17
!
hostname ASAFCHFW
domain-name mydomain.com
enable password $sha512$5000$pt2nRGQbSXA8K3vdow+Ztg==$kGNfDJREqQCQ+jO7m0bxmQ== pbkdf2
names
no mac-address auto

!
interface GigabitEthernet1/1
nameif Outside
security-level 0
ip address x.x.x.131 255.255.255.240
!
interface GigabitEthernet1/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.240
!
interface GigabitEthernet1/3
nameif Inside
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface GigabitEthernet1/4
nameif Branch_Office
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 0
ip address 192.168.200.10 255.255.255.0
!
banner exec # WARNING!! Unauthorized Access Prohibited!! #
banner login # WARNING!! Unauthorized Access Prohibited!! #
banner motd # WARNING!! Unauthorized Access Prohibited!! #
boot system disk0:/asa982-17-lfbff-k8.SPA
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network WWW-Internet
host x.x.x.133
object network WWW-DMZ
host 172.16.31.3
object network WebSeg-Internet
host x.x.x.133
object network WebSeg-DMZ
host 172.16.31.3
object network Email-Internet
host x.x.x.141
object network Email-DMZ
host 172.16.31.6
object network DNS-Internet
host x.x.x.130
object network DNS-DMZ
host 172.16.31.2
object-group network Branch-NETWORKS
network-object 192.168.2.0 255.255.255.0
network-object 192.168.14.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object 192.168.17.0 255.255.255.0
network-object 192.168.18.0 255.255.255.0
network-object 192.168.19.0 255.255.255.0
network-object 172.16.2.0 255.255.255.252
object-group network Inside-Network
network-object 192.168.0.0 255.255.255.0
access-list 100 extended permit tcp any object WWW-Internet eq www
access-list 100 extended permit tcp any object WebSeg-Internet eq https
access-list 100 extended permit tcp any object DNS-Internet eq domain
access-list 100 extended permit tcp any object Email-Internet eq smtp
access-list Outside extended permit icmp any4 any4 echo
access-list Inside extended permit ip any4 any4
access-list Inside extended permit tcp any4 any4
access-list Inside extended permit udp any4 any4
access-list Inside extended permit icmp any4 any4
access-list Branch_Office extended permit ip any4 any4
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
mtu Branch_Office 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 10 burst-size 5
icmp permit any Outside
icmp permit any DMZ
icmp permit any Branch_Office
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (DMZ,Outside) source static WWW-DMZ WWW-Internet
nat (DMZ,Outside) source static WebSeg-DMZ WebSeg-Internet
nat (DMZ,Outside) source static DNS-DMZ DNS-Internet
nat (DMZ,Outside) source static Email-DMZ Email-Internet
nat (Branch_Office,Inside) source static Branch-NETWORKS Branch-NETWORKS destination static Inside-Network Inside-Network no-proxy-arp
nat (Inside,Branch_Office) source static Inside-Network Inside-Network destination static Branch-NETWORKS Branch-NETWORKS no-proxy-arp
!
nat (Inside,Outside) after-auto source dynamic any interface
nat (DMZ,Outside) after-auto source dynamic any interface
nat (Branch_Office,Outside) after-auto source dynamic any interface
access-group 100 in interface Outside
access-group Inside in interface Inside
access-group Branch_Office in interface Branch_Office
route Outside 0.0.0.0 0.0.0.0 x.x.x.129 1
route Branch_Office 172.16.2.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.14.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.15.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.16.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.17.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.18.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.19.0 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:965e37f79971291b272f115cf36d766f
: end
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
You need an ACL to allow traffic from 192.168.0.0 in to 192.168.2.0 lan

Commented:
Try this

ASA#configure terminal
ASA(config)#same-security-traffic permit intra-interface

Author

Commented:
Adam, does this ACL not enough?

access-list Branch_Office extended permit ip any4 any4
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Commented:
Or use same-security-traffic permit intra-interface  or use a nonat statement to allow traffic flow.

Author

Commented:
Benjamin, if you see configuration, both things are implemented. Are they bad implemented?
Feroz AhmedSenior Network Security  / Senior System Engineer

Commented:
Hi,

Could you try configuring Access-list as below and check if you are able to ping in int 1/3 & 1/4

ASA(Config-t)#access-list 100 per ip any any
ASA(Config-t)#access-list 100 per icmp any any echo-reply
ASA(Config-t)#access-group 100 in interface Branch-Office
ASA(Config-t)#access-group 100 in interface inside

The above configuration on ASA will make you able to ping from Int 1/3 to 1/4.If not plz revert back to me on the same thread.
Pete LongTechnical Consultant

Commented:
We don't need NAT to traverse interfaces? we havn't since version 8.2
You shouldnt even need an ACL TBH - assuming you have permitted inter interface traffic as already pointed out

What if you run;

packet-tracer input Inside icmp 192.168.0.10 8 0 192.168.2.10
and
packet-tracer input Branch_Office icmp 192.168.2.10 8 0 192.168.0.10

What does that tell you?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial