[c-nsp] ASA Routing Problem
David Prall
dcp at dcptech.com
Tue Jan 16 13:24:31 EST 2007
Typically traffic isn't allowed between two interfaces with the same
security level:
same-security-traffic permit inter-interface
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chap
ter09186a0080450b7c.html#wp1039276
http://tinyurl.com/vzty5
David
--
http://dcp.dcptech.com
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
> Sent: Tuesday, January 16, 2007 1:13 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA Routing Problem
>
> Hi there...
>
> Hoping an "ASA expert" or PIX guy could answer this... I ran
> across this before, searched the list archives and can't find
> the easy way to do
> this...;)
>
> We have an ASA5520 firewall with three GigE interfaces (one
> outside, one
> data, and one voice).... I want to see traffic between the
> voice and data
> subnets but cannot at this point.... I'm sure it's something
> simple?? ;)
>
> interface GigabitEthernet0/0
> nameif Outside
> security-level 0
> ip address xxx.xxx.xxx.179 255.255.255.240 !
> interface GigabitEthernet0/1
> nameif Inside
> security-level 100
> ip address 192.192.61.224 255.255.255.0 !
> interface GigabitEthernet0/2
> nameif voice
> security-level 100
> ip address 172.16.254.1 255.255.255.0
>
> access-list ANY extended permit ip any any access-list ANY
> extended permit icmp any any
>
> mtu Outside 1500
> mtu Inside 1500
> mtu management 1500
> mtu voice 1500
>
> ip verify reverse-path interface Outside ip verify
> reverse-path interface Inside
>
> nat-control
> global (Outside) 10 interface
> nat (Inside) 10 0.0.0.0 0.0.0.0 dns
> nat (voice) 10 0.0.0.0 0.0.0.0 dns
> access-group ANY in interface Outside
> access-group ANY out interface Outside
> access-group ANY in interface Inside
> access-group ANY out interface Inside
> access-group ANY in interface voice
> access-group ANY out interface voice
>
> route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.177 1
>
> Thanks,
>
> Paul Stewart
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list