I have a ridiculous problem, this 8.3 version is throwing suprises one by one...
I have 2 interfaces Corp (188.8.131.52 / 27) and Collab (10.137.136.240 / 24) with the same securrity level 100. No NAT.
I want to access from Corp to RDPSvr (10.137.136.10) server on Collab.
Access rules don't work. Then I added just wide open rule allow IP in Corp - the same problem.
When I allow traffic passing between interfaces with the same security level - success (which means there are no other reasons of packets dropped that firewall rules), but I don't want it, I need to open only particular port to that server!
Even if I put
access-list global_access line 1 extended permit ip any any
access-group global_access global
it's not working!!!
Ping failed with Error 10614:Deny inbound icmp src Corp:184.108.40.206 dst Collab:10.137.136.10 (type 8, code 0)
Here's a fraction of running config:
description Corporate network connection
ip address 220.127.116.11 255.255.255.224 standby 18.104.22.168
no ip address
description Collab network connection
ip address 10.137.136.240 255.255.255.0 standby 10.137.136.241
access-list Corp_access extended permit ip any any
access-group Corp_access in interface Corp
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect icmp error
set connection decrement-ttl
service-policy global_policy global
This has always been the behavior of ASAs. I am not sure what you are looking for. Assuming you want to allow Corp hosts to access the host 10.137.136.10 on TCP/3389 that is the RDP port and not anything else between those 2 interfaces but still want to allow Corp hosts to be able to access the internet, here is waht you will need:
same-security-traffic permit inter-interface
access-list Corp_access permit tcp any host 10.137.136.10 eq 3389
access-list Corp_access deny ip any 10.137.136.0 255.255.255.0
access-list Corp_access permit ip any any
The command same-security-traffic permit inter-interface does not bypass ACL check. The traffic will still pass thorugh all the ACLs configured.
Please correct me if i am getting your requirement wrong.