ASA5510 9.1 same-security-traffic

Jan Rolny · ‎12-12-2013

Hi everyone,

is there still the same problem with communication between two subinterfaces on same security level? Please see part of configuration below.

I have two vlans 40 and 60 on switch. One uplink connected from switch to FW interface ethernet0/3. I need to allow communication between this two VLANs but even if i have cnfigured same-security-traffic permit inter-interface and same-security-traffic permit intra-interface it does not work.

Do I need to configure static NAT for this two subnets or it should work without any additional configuration?

interface Ethernet0/3

no nameif

no security-level

no ip address

!

interface Ethernet0/3.40

description DMZ-40

vlan 40

nameif DMZ-40

security-level 50

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/3.60

description DMZ-60

vlan 60

nameif DMZ-60

security-level 50

ip address 192.168.2.254 255.255.255.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Thanks for advice.

Jan

Jouni Forss · ‎12-12-2013

Hi,

I would start testing with "packet-tracer"

packet-tracer input DMZ-60 tcp 192.168.2.100 12345 192.168.1.100 80

Or use some other IP addresses or ports. Naturally if you are connecting in the other direction then use the other interface as the "input" interface.

This should show us if the problem is on the ASA

- Jouni

Jan Rolny · ‎12-12-2013

Hi Jouni,

thanks for tip. I completely forgot to packet-tracer :-) From packet tracer it seems that it works perfectly. So tomorrow I will ask administrator what is his problem again. Because his try from computer fails.

Sorry for stupid question and thanks for quick advice :-)

Jan