ASA 5520 routing between interfaces

Unanswered Question
Apr 7th, 2010


I have two insternal interfaces that I have the security level set to 100 and didn't need to route between them until now.

At this time I need to route to a single host for MySQL port 3306 and I can not get it to work.

Can any one please help.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 04/08/2010 - 02:04

You need static NAT between the 2 interfaces and also "same-security-traffic permit inter-interface" command.

For example:

Internal interface 1 is named "inside":

Internal interface 2 is named "inside-2":

static (inside,inside-2) netmask

same-security-traffic permit inter-interface

The static translation is bidirectional, so you don't need to configure the reverse static statement.

Hope that helps.

pronet_cisco Thu, 04/08/2010 - 13:13

I already have "same-security-traffic permit inter-interface"running.

All inside interfaces are communicating without any static NAT.

I want to remove "same-security-traffic permit inter-interface" so they don't communicate and then allow one IP from inside interface 3 to connect to 2 hosts on inside interface 1.

Is this possible to do?


Panos Kampanakis Thu, 04/08/2010 - 14:06

If in1 and int3 are of same security level you will need the "same security" command, you can't avoid it.

If not then you can use ACLs and/or translations to go from int1 to int 3 and vice versa.

I hope it helps.


Kent Heide Thu, 04/08/2010 - 14:14

It's not possible to use ACL's if you remove the same-security command. Traffic will be dropped before ACL checks and you'll get a drop in your log.

To make this work you'll need the command or change your security levels. :-)

pronet_cisco Thu, 04/08/2010 - 14:51

So how can i leave the same security command in but then stop traffic between the two interfaces and only allow

port 3306 on 2 hosts for interface 1 from one host coming in from  interface 3.

Because at this time with same security command everything is routing to each other just fine. I don't want that.

Hope this is clear enough.



Panos Kampanakis Thu, 04/08/2010 - 17:21

You an sue ACLs to allow only the traffic that you want.

"same seurity inter" should not be used to deny traffic.

ACLs are for that purpose.

I hope it helps.


Kureli Sankar Thu, 04/08/2010 - 17:22

Pls. review both these links:


NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired. However, if you configure dynamic NAT when NAT control is enabled, then NAT is required. See Chapter 27, "Configuring NAT Control," for more information. Also, when you specify a group of IP addresses for dynamic NAT or PAT on a same security interface, then you must perform NAT on that group of addresses when they access any lower or same security level interface (even when NAT control is not enabled). Traffic identified for static NAT is not affected.

You want traffic to flow freely between all same security interfaces without access lists.

With that said, same security traffic will flow freely wtihout any nat or access-list.  If you want to restric this, then you need to change one interface's security level to something else and provide translation just for that one host appropriately. Once done, you can remove the same security command if you do not have any more same security interfaces.



This Discussion

Related Content