3

I have an ASA 5510 running 8.2(5) with the following configuration and I am having problems routing traffic between sub-interfaces at the same security level. Although not shown there are ACL's for each sub-interface allowing ICMP and IP traffic in both directions. NOTE: I have cut down the amount of config posted but what is there should be sufficient.

The restrictions in place are: No upgrade beyond 8.2(5) No use of same-security commands All inside interfaces to be same security level.

Traffic flows to/from the outside to the various sub-interface, but between sub-interfaces it is hit & miss, which is the source of my confusion. If it were consistent in not working it would be easy.

The problems I am seeing for example are:

  1. Asymmetric NAT rules matched for forward and reverse flows; for traffic from sub-int 112 to 104
  2. ICMP traffic being denied by an implicit rule, yet each ACL has ext perm ICMP any any
  3. I am pretty sure this line nat (DMZ-102) 1 192.168.102.0 255.255.255.0 is an error but having it or removing it seems to make no difference.

So if anyone has suggestions/recommendations please let me know.

interface Ethernet0/0 speed 100 duplex full nameif outside security-level 0 ip address 10.172.1.212 255.255.255.0 interface Ethernet0/1 speed 1000 duplex full no nameif no security-level no ip address interface Ethernet0/1.102 vlan 102 nameif DMZ-102 security-level 100 ip address 192.168.102.251 255.255.255.0 interface Ethernet0/1.103 vlan 103 nameif DMZ-103 security-level 100 ip address 192.168.103.252 255.255.255.0 interface Ethernet0/1.104 vlan 104 nameif DMZ-104 security-level 100 ip address 192.168.104.252 255.255.255.0 interface Ethernet0/1.112 vlan 112 nameif DMZ-112 security-level 100 ip address 192.168.112.252 255.255.255.0 access-list incoming extended permit ip any any access-list OUTBOUND extended permit ip any any global (outside) 1 interface global (DMZ-102) 1 interface global (DMZ-103) 1 interface global (DMZ-104) 1 interface global (DMZ-112) 1 interface nat (DMZ-102) 1 192.168.102.0 255.255.255.0 nat (DMZ-102) 0 192.168.102.0 255.255.255.0 nat (DMZ-103) 0 192.168.103.0 255.255.255.0 nat (DMZ-104) 0 192.168.104.0 255.255.255.0 nat (DMZ-112) 0 192.168.112.0 255.255.255.0 static (DMZ-103,outside) 10.172.1.213 192.168.103.11 netmask 255.255.255.255 static (DMZ-102,DMZ-103) 192.168.102.0 192.168.102.0 netmask 255.255.255.255 static (DMZ-102,DMZ-104) 192.168.102.0 192.168.102.0 netmask 255.255.255.255 static (DMZ-102,DMZ-112) 192.168.102.0 192.168.102.0 netmask 255.255.255.255 static (DMZ-103,DMZ-102) 192.168.103.0 192.168.103.0 netmask 255.255.255.255 static (DMZ-103,DMZ-104) 192.168.103.0 192.168.103.0 netmask 255.255.255.255 static (DMZ-103,DMZ-112) 192.168.103.0 192.168.103.0 netmask 255.255.255.255 static (DMZ-104,DMZ-102) 192.168.104.0 192.168.104.0 netmask 255.255.255.255 static (DMZ-104,DMZ-103) 192.168.104.0 192.168.104.0 netmask 255.255.255.255 static (DMZ-104,DMZ-112) 192.168.104.0 192.168.104.0 netmask 255.255.255.255 static (DMZ-112,DMZ-102) 192.168.112.0 192.168.112.0 netmask 255.255.255.255 static (DMZ-112,DMZ-103) 192.168.112.0 192.168.112.0 netmask 255.255.255.255 static (DMZ-112,DMZ-104) 192.168.112.0 192.168.112.0 netmask 255.255.255.255 access-group incoming in interface outside access-group OUTBOUND out interface outside route outside 0.0.0.0 0.0.0.0 10.172.1.1 1
Improve this question
2
  • Why wouldn't you be able to use same-security commands? Commented Nov 10, 2014 at 4:05
  • Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer. Commented Aug 10, 2017 at 23:14

1 Answer 1

Reset to default
7

Without the use of same-security, traffic will not flow between interfaces at the same security level. That's the way it's designed, and the very purpose of those commands. No amount of ACLs can override that basic function. Once inter-interface/intra-interface is enabled -- thus allowing traffic at all -- ACLs will apply.

(You could set interfaces to different levels and use NAT/ACLs to control the traffic, but your restrictions don't allow that either. And it's a mess to maintain.)

Improve this answer
2
  • Thanks Ricky. I understood that you needed ACL's if you were not using the same-security commands, i.e. the commands were optional. So Commented Nov 10, 2014 at 19:05
  • Thanks Ricky. I obviously have misunderstood the same-security commands, thinking they were optional and avoided the need for ACL's. So on the basis that they are required and given that I am doing static NAT do I need any additional NAT or Global statements to those I already have for inter VLAN routing? It also occurs to me that since I am using sub-interfaces for VLAN's do I need both inter and intra traffic allowed? Commented Nov 10, 2014 at 19:11

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.