Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1461
Views
0
Helpful
3
Replies

communication between same security levels in ASA

rakeshjss123
Level 1
Level 1

‎03-10-2012 11:16 AM - edited ‎03-11-2019 03:40 PM

Hi All,

I am facing communication issue between the same security level. I have created two security zones with same security level & i have also configured the command same-security-traffic permit inter-interface & nat-control is disabled by default. But i am not able to communicate between same security level.

when i have checked the logs using sh logging coomand following output will come:-

%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.28/14 gaddr 10.0.4.1/0 laddr 10.0.4.1/0

%ASA-6-110003: Routing failed to locate next hop for icmp from HR:10.0.4.1/0 to HR:10.0.0.28/0

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.28/14 gaddr 10.0.4.1/0 laddr 10.0.4.1/0

%ASA-3-219002: i2c_read_byte_w_suspend() error, slot = 0x4, device = 0xb0, address = 0x0, byte count = 1. Reason: I2C_SMBUS_UNSUPPORT

My ASA lab configuration:-

interface Ethernet0/0

nameif outside

security-level 0

ip address 2.2.2.1 255.255.255.252

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/1.1

vlan 2

nameif inside

security-level 100

ip address 10.0.0.1 255.255.252.0

!

interface Ethernet0/1.2

vlan 3

nameif HR

security-level 100

ip address 10.0.4.1 255.255.252.0

rest configuration is default

Thanks

Labels:
0 Helpful
3 Replies 3

andrew.prince
Level 10
Level 10

‎03-12-2012 08:47 AM

Just to be sure - I would configure a nat-exemption rule.

0 Helpful

Kimberly Adams
Level 3
Level 3
In response to andrew.prince

‎03-12-2012 09:57 AM

You can also add the following commands to allow the same security interface to talk to each other:

same-security-traffic permit intra-interface

same-security-traffic permit inter-interface

Thanks and let us know.

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-12-2012 10:44 AM

Hello Rakesh,

You already told us you have the   permit inter-interface command and also nat control disabled.

You also told us you have the default setting on your asa so if that is true you should not have the inspection for the ICMP protocol.

Please add the following:

     -fixup protocol icmp

Then give it a try:

Also provide the following:

packet-tracer input inside icmp 10.0.0.2 8 0 10.0.4.2

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card