(config)# same-security-traffic permit intra-interface
Cisco published an article explaining that configuration. However, if the firewall policy has NAT rules, that configuration is not the only thing you should set to have it working. I will use as an example the following scenario, which is similar to the one presented in the Cisco's article.
The relevant settings to this article are:
route inside 10.0.0.0 255.0.0.0 10.100.100.2 1
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
If you run a ping or generate any traffic from 10.100.100.20 to 10.200.200.50, the firewall will block the connection attempt and generate the log message below:
%ASA-3-305006: portmap translation creation failed for icmp src inside:10.100.100.20 dst inside:10.200.200.50 (type 8, code 0)
After to receive the traffic, the firewall checks the NAT rules. The rule type priority is considered while it tries to find a matching one. In this case, first of all the NAT Exemption (nat 0) would be checked. Since the traffic comes from the inside and would be forwarded to the same network, that rule doesn't match because the NAT Exemption only works for inter-interface traffic. (e.g., from inside to dmz). Then the Regular Dynamic PAT rule (nat 1) would be checked. This one matches the traffic since it has been defined to match traffic from any source to any destination. However, there is only one global rule assigned to the outside interface. The mapping, therefore, would fail.
To avoid this issue, you have to implement a Regular Static Identity NAT just like the following example:
asa(config)# static (inside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
asa(config)# end
asa# wr mem
thank you very much for this ...this assisted in us overcoming a major comms issue to a credit checking fascility ...
ReplyDeleteYou Rock! Thank You.
ReplyDelete