Problem: Routing between interfaces on Cisco ASA5510
I have a Cisco ASA5510 that I’m trying to configure so that traffic from a LAN subnet on interface Eth0/1 can route to another subnet on Interface Management0/0. Although I have no problems making this work with another similar interface, I can’t seem to get the traffic between the ports of this ASA! What I feel is the most relevant Information about the configuration follows:
!Here are my interfaces:
interface Ethernet0/1
description FW Internal Interface
nameif INTERNAL
security-level 100
ip address 192.9.200.250 255.255.252.0
interface Ethernet0/3
nameif TelusVPN
security-level 100
ip address 192.168.200.1 255.255.255.252
interface Management0/0
nameif TERAGO
security-level 100
ip address 192.9.209.6 255.255.255.248
!same-security-traffic is allowed
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list INTERNAL_nat0_outbound extended permit ip 192.9.200.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list INTERNAL_nat0_outbound extended permit ip any 192.9.205.0 255.255.255.0
access-list EXTERNAL_cryptomap_20 extended permit ip 192.9.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list TelusVPN_access_out extended permit ip any any
access-list TelusVPN_access_in extended permit ip any any
access-list TERAGO_access_out extended permit ip any any
access-list TERAGO_access_in extended permit ip any any
static (INTERNAL,TelusVPN) 192.9.200.0 192.9.200.0 netmask 255.255.252.0
static (INTERNAL,TERAGO) 192.9.200.0 192.9.200.0 netmask 255.255.252.0
access-group TelusVPN_access_in in interface TelusVPN
access-group TelusVPN_access_out out interface TelusVPN
access-group TERAGO_access_in in interface TelusVPN
access-group TERAGO_access_out out interface TelusVPN
If TelusVPN and the INTERNAL interfaces will move traffic between them with this configuration, shouldn’t TERAGO and INTERNAL also be able to talk? Is there something special about the management interface, perhaps?
Any ideas would be much appreciated.
Solution: Routing between interfaces on Cisco ASA5510
This takes care of NAT between the inside and Terago.
Yes, you should be able to ping 192.9.209.5 (remote ASA interface) as long as the remote ASA is allowing ICMP on that interface and the remote ASA has a route to the inside (192.9.200.0/22) via 192.9.209.6.
