Problem: Routing between interfaces on Cisco ASA5510
I have a Cisco ASA5510 that I’m trying to configure so that traffic from a LAN subnet on interface Eth0/1 can route to another subnet on Interface Management0/0. Although I have no problems making this work with another similar interface, I can’t seem to get the traffic between the ports of this ASA! What I feel is the most relevant Information about the configuration follows:
!Here are my interfaces:
description FW Internal Interface
ip address 188.8.131.52 255.255.252.0
ip address 192.168.200.1 255.255.255.252
ip address 184.108.40.206 255.255.255.248
!same-security-traffic is allowed
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list INTERNAL_nat0_outbound extended permit ip 220.127.116.11 255.255.252.0 192.168.1.0 255.255.255.0
access-list INTERNAL_nat0_outbound extended permit ip any 18.104.22.168 255.255.255.0
access-list EXTERNAL_cryptomap_20 extended permit ip 22.214.171.124 255.255.255.0 192.168.1.0 255.255.255.0
access-list TelusVPN_access_out extended permit ip any any
access-list TelusVPN_access_in extended permit ip any any
access-list TERAGO_access_out extended permit ip any any
access-list TERAGO_access_in extended permit ip any any
static (INTERNAL,TelusVPN) 126.96.36.199 188.8.131.52 netmask 255.255.252.0
static (INTERNAL,TERAGO) 184.108.40.206 220.127.116.11 netmask 255.255.252.0
access-group TelusVPN_access_in in interface TelusVPN
access-group TelusVPN_access_out out interface TelusVPN
access-group TERAGO_access_in in interface TelusVPN
access-group TERAGO_access_out out interface TelusVPN
If TelusVPN and the INTERNAL interfaces will move traffic between them with this configuration, shouldn’t TERAGO and INTERNAL also be able to talk? Is there something special about the management interface, perhaps?
Any ideas would be much appreciated.
Solution: Routing between interfaces on Cisco ASA5510
This takes care of NAT between the inside and Terago.
Yes, you should be able to ping 18.104.22.168 (remote ASA interface) as long as the remote ASA is allowing ICMP on that interface and the remote ASA has a route to the inside (22.214.171.124/22) via 126.96.36.199.