[c-nsp] ASA Routing Problem

Paul Stewart paul at paulstewart.org
Tue Jan 16 13:34:52 EST 2007


Thanks for the reply...

That was the command I was looking for..;)  I applied it however I still
cannot reach the voice VLAN from the data VLAN....   I don't understand the
ACL portion as it looks to me like I'm permitting everything (am I reading
it wrong?)

Appreciate it,

Paul
 

-----Original Message-----
From: Brian Desmond [mailto:brian at briandesmond.com] 
Sent: Tuesday, January 16, 2007 1:22 PM
To: Paul Stewart; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] ASA Routing Problem

Paul-

Either apply that any/any ACL to your Inside and voice interfaces, or use
the "same-security-traffic permit inter-interface" command on the pix. 

Thanks,
Brian Desmond
brian at briandesmond.com

c - 312.731.3132


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- 
> bounces at puck.nether.net] On Behalf Of Paul Stewart
> Sent: Tuesday, January 16, 2007 1:13 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA Routing Problem
> 
> Hi there...
> 
> Hoping an "ASA expert" or PIX guy could answer this... I ran across 
> this before, searched the list archives and can't find the easy way to 
> do
> this...;)
> 
> We have an ASA5520 firewall with three GigE interfaces (one outside, 
> one
> data, and one voice)....   I want to see traffic between the voice and
> data
> subnets but cannot at this point.... I'm sure it's something simple??
> ;)
> 
> interface GigabitEthernet0/0
>  nameif Outside
>  security-level 0
>  ip address xxx.xxx.xxx.179 255.255.255.240 !
> interface GigabitEthernet0/1
>  nameif Inside
>  security-level 100
>  ip address 192.192.61.224 255.255.255.0 !
> interface GigabitEthernet0/2
>  nameif voice
>  security-level 100
>  ip address 172.16.254.1 255.255.255.0
> 
> access-list ANY extended permit ip any any access-list ANY extended 
> permit icmp any any
> 
> mtu Outside 1500
> mtu Inside 1500
> mtu management 1500
> mtu voice 1500
> 
> ip verify reverse-path interface Outside ip verify reverse-path 
> interface Inside
> 
> nat-control
> global (Outside) 10 interface
> nat (Inside) 10 0.0.0.0 0.0.0.0 dns
> nat (voice) 10 0.0.0.0 0.0.0.0 dns
> access-group ANY in interface Outside
> access-group ANY out interface Outside access-group ANY in interface 
> Inside access-group ANY out interface Inside access-group ANY in 
> interface voice access-group ANY out interface voice
> 
> route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.177 1
> 
> Thanks,
> 
> Paul Stewart
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list