Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

communication between same security levels in ASA

Hi All,

I am facing communication issue between the same security level. I have created two security zones with same security level & i have also configured the command same-security-traffic permit inter-interface & nat-control is disabled by default. But i am not able to communicate between same security level.

when i have checked the logs using sh logging coomand following output will come:-

%ASA-6-302020: Built inbound ICMP connection for faddr gaddr laddr

%ASA-6-110003: Routing failed to locate next hop for icmp from HR: to HR:

%ASA-6-302021: Teardown ICMP connection for faddr gaddr laddr

%ASA-3-219002: i2c_read_byte_w_suspend() error, slot = 0x4, device = 0xb0, address = 0x0, byte count = 1. Reason: I2C_SMBUS_UNSUPPORT

My ASA lab configuration:-

interface Ethernet0/0

nameif outside

security-level 0

ip address


interface Ethernet0/1

no nameif

no security-level

no ip address


interface Ethernet0/1.1

vlan 2

nameif inside

security-level 100

ip address


interface Ethernet0/1.2

vlan 3

nameif HR

security-level 100

ip address

rest configuration is default



communication between same security levels in ASA

Just to be sure - I would configure a nat-exemption rule.

communication between same security levels in ASA

You can also add the following commands to allow the same security interface to talk to each other:

same-security-traffic permit intra-interface

same-security-traffic permit inter-interface

Thanks and let us know.


Thanks and Cheers! Kimberly Please remember to rate helpful posts.

communication between same security levels in ASA

Hello Rakesh,

You already told us you have the   permit inter-interface command and also nat control disabled.

You also told us you have the default setting on your asa so if that is true you should not have the inspection for the ICMP protocol.

Please add the following:

     -fixup protocol icmp

Then give it a try:

Also provide the following:

packet-tracer input inside icmp 8 0


Do rate all the helpful posts


Julio Carvajal
Senior Network Security and Core Specialist
CreatePlease to create content