cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
543
Views
0
Helpful
8
Replies

Same security interface not passing traffic

lee.messenger
Level 1
Level 1

Hi,

I have a PIX 525 that has 8 interfaces, inside, outside, 2 security level 75 and 4 security level 50.

Traffic from interfaces on security level 50 must not be allowed to other security level 50 interfaces.

Traffic from interfaces on security level 75 interfaces is allowed to other security level 75 interfaces.

Therefore, I'd rather not enable the same-security-interface-permit command.

I've configured ACL's on the security level 75 interfaces to permit traffic to flow, but it doesn't appear to be working.

If I change the security level on one of the level 75 interfaces to 76, then traffic flows.

Any ideas ?

Thanks

Lee

8 Replies 8

acomiskey
Level 10
Level 10

How about enabling same-security-traffic permit inter-interface then writing acls to prevent the traffic from the level 50 interfaces.

If you use same-security-traffic permit inter-interface feature you still have to create acl's to allow the traffic between the interface. The same-security-traffic permit inter-interface feature basically allow the firewall use the acl's that you create to allow traffic between interface with same security levels.

Check this link:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/intfce_f.html#wp1039276

That's not what the ASA Command Ref. says...

"Allowing communication between same security interfaces (enabled by the same-security-traffic inter-interface command) provides the following benefits:

- You can allow traffic to flow freely between all same security interfaces WITHOUT access lists."

Hi,

I realise I could enable "same-security" but then I have to put denies in 4 ACLs and it starts to get more complex.

What I'm really trying to find out is why hosts on different interfaces that have the same security level cannot communicate even though the ACL permits it.

Do I have to have an ACL for the reply traffic as well perhaps ?

I would also agree that you should not have to add ACL's if "same-security" is turned on. Or perhaps that only applies for the ASA and not the Pix ?

Any more thoughts greatly appreciated.

Lee

"What I'm really trying to find out is why hosts on different interfaces that have the same security level cannot communicate even though the ACL permits it."

-Because you have not enabled the same-security-traffic command.

"Do I have to have an ACL for the reply traffic as well perhaps?"

-No.

So just to clarify then, as I must have misunderstood the configuration guide.

In order for hosts on interfaces of the same security level to communicate, the same-security-interface command must be enabled, even if there are ACL's defined which permit the communication ?

The code it build to don't allow communication between interface with same security level even if you have ACL's allowing the traffic. One interesting point is that th e ASA/PIX behave different than the FWSM when use same-security-interface command. As acomiskey said when use the same-security-interface it allows communication without ACL's in the FWSM after enable the same-security-interface it still need ACL's. Another option for you could change the security level in one of the interface with level 50 to something 51 or 49 and then add ACL's to allow traffic between those 2.

thanks guys, thats answered my questions now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: