Passing traffic through an ASA

We have an ASA 5510 that's directly connected to three networks...,, and an external network. On the subnet, there's also a 2811 router with a T1. Hosts in the subnet have a default gateway of, which is the 2811 The 2811 has a static route to direct traffic destined for to, the ASA. But hosts on cannot access hosts on Is there some specific ACL or something that needs to be set to allow this?

ntasa01# sh conf : Saved : Written by enable_15 at 06:34:16.732 PDT Thu Aug 2 2007 ! ASA Version 7.0(6) ! hostname ntasa01 enable password ****************** encrypted names name ld_lan name sd_lan name ld_dmz name ld_ras_lan name sd_ras_lan name nl_dmz name *************** ntmgw01-I name nt_mgmt name sd_dmz name nt_dmz dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address **************** standby ************** ! interface Ethernet0/1 nameif inside security-level 100 ip address standby ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 description LAN/STATE Failover Interface ! interface Management0/0 nameif management security-level 100 ip address management-only ! passwd **************** encrypted ftp mode passive clock timezone PST -8 clock summer-time PDT recurring 2 Sun Mar 1:59 1 Sun Nov 3:00 access-list 200 extended permit tcp any host ntmgw01-I eq smtp access-list DMZ extended permit ip any any log access-list MGMT extended permit ip any any pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 failover failover lan unit secondary failover lan interface failover Ethernet0/3 failover link failover Ethernet0/3 failover interface ip failover standby asdm image disk0:/asdm506.bin no asdm history enable arp timeout 14400 global (outside) 1 *************** netmask nat (inside) 1 nt_dmz static (inside,outside) *************** netmask static (inside,outside) *************** netmask static (inside,outside) ntmgw01-I netmask access-group 200 in interface outside access-group DMZ in interface inside access-group MGMT in interface management route outside ************** 1 route management sd_lan 1 route management sd_dmz 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute username admin password **************** encrypted privilege 15 aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http management http management snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map dynmap 30 set transform-set ESP-3DES-MD5 telnet management telnet management telnet management telnet timeout 15 ssh management ssh management ssh timeout 60 ssh version 2 console timeout 0 ntp server ntp server source management prefer Cryptochecksum:*********************************
Reply to
John Oliver
Loading thread data ...

Could this be related to the management interface..

You began by saying have an ASA 5510 that's directly connected to three networks,,, and an external network. Can we say you need this in routed firewall mode, and if we do , will this need to on the network on its own interface not on a management interface? Are there limitations on it as management? Can you ping the interfaces of your own subnet then the one your targeting?

LC Skype: luchito.castro

Reply to

Very likely.

IPs on the external network are NATed to addresses on the subnet, the DMZ. So I do not believe that the ASA is specifically routing anything. But I assumed that anything that was in the routing table would be handled.

Reply to
John Oliver



Don't suppose it is to do with passing traffic between the same security interfaces is it. Have look at this:

formatting link
Allowing Communication Between Interfaces on the Same Security Level

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces provides the following benefits:

To enable interfaces on the same security level so that they can communicate with each other, enter the following command:

hostname(config)# same-security-traffic permit inter-interface



Reply to
darren green

The answer is that command mentioned for ASA(config)# same-security-traffic permit inter-interface

But to clear up the topics brought up which were not the solution: - If routing is being conducted anywhere through the ASA then this would not be due to routing not being enabled on the ASA. - The management interface has done everything I have ever made a normal interface do which includes being the stateful failover port. - If different security-levels were specified, static commands would have to permit the higher security to be accessible to the lower security. The method shown in this posting is the better example where both are at the same security level.

Reply to
Scott Perry Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.