Cisco ASA not forwarding traffic from one interface to another

cisco nat traffic-filtering cisco-asa
7,071

Solution 1

I finally got this fixed ! I was doing way too much NAT. I deactivated nat-control, allowed same-security-level communication and got rid of most of the Nat stuff.

Below is my working config.

! 
hostname Fuji 
! 
interface Ethernet0/0 
 speed 100 
 duplex full 
 nameif outside 
 security-level 0 
 ip address 10.0.0.2 255.255.255.0
 no shutdown 
! 
interface Ethernet0/1 
 speed 100 
 duplex full 
 nameif cs4
 no shutdown 
 security-level 100 
 ip address 10.1.4.1 255.255.255.0 
!
interface Ethernet0/2
 speed 100
 duplex full
 no shutdown
! 
interface Ethernet0/2.15
 vlan 15 
 nameif cs5 
 security-level 100 
 ip address 10.1.5.1 255.255.255.0 
! 
interface Ethernet0/2.16
 vlan 16 
 nameif cs6 
 security-level 100 
 ip address 10.1.6.1 255.255.255.0 
! 
interface Management0/0 
 speed 100 
 duplex full 
 nameif management 
 security-level 100 
 ip address 10.6.0.252 255.255.255.0 
!
same-security-traffic permit inter-interface 
no nat-control
! 
access-list acl_cs4 extended permit ip 10.1.4.0 255.255.255.0 any 
access-list acl_cs5 extended permit ip 10.1.5.0 255.255.255.0 any 
access-list acl_cs6 extended permit ip 10.1.6.0 255.255.255.0 any 
! 
access-list acl_outside extended permit ip any 10.1.4.0 255.255.255.0 
access-list acl_outside extended permit ip any 10.1.5.0 255.255.255.0 
access-list acl_outside extended permit ip any 10.1.6.0 255.255.255.0 
! 
static (outside,cs4) 0.0.0.0 0.0.0.0 netmask 0.0.0.0 
static (outside,cs5) 0.0.0.0 0.0.0.0 netmask 0.0.0.0 
static (outside,cs6) 0.0.0.0 0.0.0.0 netmask 0.0.0.0 
! 
access-group acl_outside in interface outside 
access-group acl_cs4 in interface cs4 
access-group acl_cs5 in interface cs5 
access-group acl_cs6 in interface cs6 
! 
router ospf 1 
 network 10.0.0.0 255.255.255.0 area 1 
 network 10.1.4.0 255.255.255.0 area 1 
 network 10.1.5.0 255.255.255.0 area 1 
 network 10.1.6.0 255.255.255.0 area 1 
 log-adj-changes 
!

Solution 2

Add same-security-traffic permit inter-interface in your configuration Interface with the same security level can't communicate with each other without this command.

Share:
7,071

Related videos on Youtube

Antoine Benkemoun
Author by

Antoine Benkemoun

IT Engineer. Have worked as network engineer for Orange Business Services and embedded network engineer for Dassault Aviation.

Updated on September 17, 2022

Comments

  • Antoine Benkemoun
    Antoine Benkemoun over 1 year

    I am needing help in the configuration process of my Cisco ASA 5510. I have set up 4 Cisco ASA interconnected together via a big LAN. Each Cisco ASA has 3 or 4 LANs attached to them. The IP routing part is taken care of by OSPF. My problem is on another level.

    A computer connected to one of the LANs attached to an ASA has no problem communicating with the outside world. The outside world being anything "after" the ASA. My problem is that I am completely unable to have them communicate with another LAN connected to the same ASA. To rephrase this, I am unable to send traffic from one interface of a given ASA to another interface of the same ASA.

    My configuration is the following :

    !
hostname Fuji
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 10.0.0.2 255.255.255.0  no shutdown
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif cs4  no shutdown
 security-level 100
 ip address 10.1.4.1 255.255.255.0
! 
interface Ethernet0/2  
speed 100  
duplex full  
no shutdown 
!
interface Ethernet0/2.15  vlan 15
 nameif cs5
 security-level 100
 ip address 10.1.5.1 255.255.255.0
!
interface Ethernet0/2.16  vlan 16
 nameif cs6
 security-level 100
 ip address 10.1.6.1 255.255.255.0
!
interface Management0/0
 speed 100
 duplex full
 nameif management
 security-level 100
 ip address 10.6.0.252 255.255.255.0
!
access-list nat_cs4 extended permit ip 10.1.4.0 255.255.255.0 any
access-list acl_cs4 extended permit ip 10.1.4.0 255.255.255.0 any
access-list nat_cs5 extended permit ip 10.1.5.0 255.255.255.0 any
access-list acl_cs5 extended permit ip 10.1.5.0 255.255.255.0 any
access-list nat_cs6 extended permit ip 10.1.6.0 255.255.255.0 any
access-list acl_cs6 extended permit ip 10.1.6.0 255.255.255.0 any
!
access-list nat_outside extended permit ip any any
access-list acl_outside extended permit ip any 10.1.4.0 255.255.255.0
access-list acl_outside extended permit ip any 10.1.5.0 255.255.255.0
access-list acl_outside extended permit ip any 10.1.6.0 255.255.255.0
!
nat (outside) 0 access-list nat_outside
nat (cs4) 0 access-list nat_cs4
nat (cs5) 0 access-list nat_cs5
nat (cs6) 0 access-list nat_cs6
!
static (outside,cs4) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
static (outside,cs5) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
static (outside,cs6) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
!
static (cs4,outside) 10.1.4.0 10.1.4.0 netmask 255.255.255.0
static (cs4,cs5) 10.1.4.0 10.1.4.0 netmask 255.255.255.0
static (cs4,cs6) 10.1.4.0 10.1.4.0 netmask 255.255.255.0
!
static (cs5,outside) 10.1.5.0 10.1.5.0 netmask 255.255.255.0
static (cs5,cs4) 10.1.5.0 10.1.5.0 netmask 255.255.255.0
static (cs5,cs6) 10.1.5.0 10.1.5.0 netmask 255.255.255.0
!
static (cs6,outside) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
static (cs6,cs4) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
static (cs6,cs5) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
!
access-group acl_outside in interface outside
access-group acl_cs4 in interface cs4
access-group acl_cs5 in interface cs5
access-group acl_cs6 in interface cs6
!
router ospf 1
 network 10.0.0.0 255.255.255.0 area 1
 network 10.1.4.0 255.255.255.0 area 1
 network 10.1.5.0 255.255.255.0 area 1
 network 10.1.6.0 255.255.255.0 area 1
 log-adj-changes
!

    There is nothing really complicated in this configuration. It just NATs from one interface to another and that's it. I have tried enabling same-security-traffic permit inter-interface but that doesn't help.

    I therefore must be missing something a little bit more complicated. Does anyone know why I cannot foward traffic from one interface to another ?

    Thank you in advance for your help,

    Antoine

  • Antoine Benkemoun
    Antoine Benkemoun about 14 years
    As I specified in my post, I have tried that and it doesn't help.
  • radius
    radius about 14 years
    Oups sorry, I missed that, did you try removing static between CSx ? Did you try with different level on interfaces ?
  • Antoine Benkemoun
    Antoine Benkemoun about 14 years
    Removing the statics don't help... I'm planning another lab session Tuesday, we'll see how it goes then.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why can I not ping my host behind the firewall? Cisco asa 5505
Cisco ASA 5505 - NAT or Port Forward for SIP / VoIP ver 8.4
Cisco ASA5505 - Unable to ping DMZ from Inside interface
Cisco ASA 5520 Unable to access external IP on Internal Network
Cisco ASA 5505; Can't forward port 443: Why am I getting "Error: unable to download policy"?
Cisco ASA 8.4 port forwarding
Trying to setup NAT from 2 outside IPs to the same private IP
Port Forwarding on Cisco Router
Cisco ASA 5510 needs "clear arp <Interface>" periodically to reach a single host
Is it possible to configure a Cisco AnyConnect VPN to use two separate LDAP authentication methods simultaneously?