Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Same security interface not passing traffic

Hi,

I have a PIX 525 that has 8 interfaces, inside, outside, 2 security level 75 and 4 security level 50.

Traffic from interfaces on security level 50 must not be allowed to other security level 50 interfaces.

Traffic from interfaces on security level 75 interfaces is allowed to other security level 75 interfaces.

Therefore, I'd rather not enable the same-security-interface-permit command.

I've configured ACL's on the security level 75 interfaces to permit traffic to flow, but it doesn't appear to be working.

If I change the security level on one of the level 75 interfaces to 76, then traffic flows.

Any ideas ?

Thanks

Lee

8 REPLIES
Green

Re: Same security interface not passing traffic

How about enabling same-security-traffic permit inter-interface then writing acls to prevent the traffic from the level 50 interfaces.

Community Member

Re: Same security interface not passing traffic

If you use same-security-traffic permit inter-interface feature you still have to create acl's to allow the traffic between the interface. The same-security-traffic permit inter-interface feature basically allow the firewall use the acl's that you create to allow traffic between interface with same security levels.

Check this link:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/intfce_f.html#wp1039276

Green

Re: Same security interface not passing traffic

That's not what the ASA Command Ref. says...

"Allowing communication between same security interfaces (enabled by the same-security-traffic inter-interface command) provides the following benefits:

- You can allow traffic to flow freely between all same security interfaces WITHOUT access lists."

Community Member

Re: Same security interface not passing traffic

Hi,

I realise I could enable "same-security" but then I have to put denies in 4 ACLs and it starts to get more complex.

What I'm really trying to find out is why hosts on different interfaces that have the same security level cannot communicate even though the ACL permits it.

Do I have to have an ACL for the reply traffic as well perhaps ?

I would also agree that you should not have to add ACL's if "same-security" is turned on. Or perhaps that only applies for the ASA and not the Pix ?

Any more thoughts greatly appreciated.

Lee

Green

Re: Same security interface not passing traffic

"What I'm really trying to find out is why hosts on different interfaces that have the same security level cannot communicate even though the ACL permits it."

-Because you have not enabled the same-security-traffic command.

"Do I have to have an ACL for the reply traffic as well perhaps?"

-No.

Community Member

Re: Same security interface not passing traffic

So just to clarify then, as I must have misunderstood the configuration guide.

In order for hosts on interfaces of the same security level to communicate, the same-security-interface command must be enabled, even if there are ACL's defined which permit the communication ?

Community Member

Re: Same security interface not passing traffic

The code it build to don't allow communication between interface with same security level even if you have ACL's allowing the traffic. One interesting point is that th e ASA/PIX behave different than the FWSM when use same-security-interface command. As acomiskey said when use the same-security-interface it allows communication without ACL's in the FWSM after enable the same-security-interface it still need ACL's. Another option for you could change the security level in one of the interface with level 50 to something 51 or 49 and then add ACL's to allow traffic between those 2.

Community Member

Re: Same security interface not passing traffic

thanks guys, thats answered my questions now.

183
Views
0
Helpful
8
Replies
CreatePlease to create content