Go CCIE Go!! - A Cisco Certified Internetwork Expert

Hello all, i need your help,i have 3 sites, am have problem connecting to the from sites 2 and 3 to site 1 webserver via dmz,there is a tunnel btw site 2 to site 1 and site 3 to site 1,when i did a traceroute from site 2 to site 1,i discovered that i called get to the end of the tunnel and thats all,the traceroute can`t go further,but i can ping host in the LAN in both sites 2 and 3 from the ASA,i also ping the webserver from the router in site 1,it was successful, all other things are working fine expect that hosts from sites 2 and 3,can`t access the webserver,below is the config on the ASA and router(site 1),router (site 2) and router (site 3). ...

Thanks for the Reply Joseph. I added that and it still does not ping "same-security-traffic permit intra-interface" on contextA where access-list ping-reply permit icmp host 204.12.6.13 any access-list OUTSIDE_IN extended permit icmp any any log access-list OUTSIDE_IN extended permit icmp any any echo access-list OUTSIDE_IN extended permit icmp any any echo-reply access-list OUTSIDE_IN extended permit tcp any any eq bgp access-list OUTSIDE_IN extended permit tcp any eq bgp any This would not surfice? On Sun, Jun 15, 2008 at 5:00 PM, Joseph Brunner wrote: > I suggest you pick up a copy of the "cisco asa, pix and fwsm firewall > handbook" by David Hucaby > > I would check out the chapter on address translation. ...

For the intra-interface outside, NAT is not supported. ... the FWSM. 2.3(1) Support for the Intra-interface keyword was added. 2-474 ...

... FWSM, but only connections from a higher security interface to a ... Intra-Interface ... (config)# same-security-traffic permit intra-interface ...

Access directions can be defined through a firewall, making your ... security-traffic permit intra-interface ... PIX, and FWSM Firewall Handbook by ...

On a FWSM platform, the interface is identified by its vlan-id (vlan5 for example; ... Firewall(config)# same-security-traffic permit intra-interface ...