Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Same security level interface ACL

On a Cisco ASA 5520.  I have 2 interfaces that are the same security level. I need hosts on 1 of these interfaces to be able to get to a specific IP and port on the other but I DON'T want to blanket enable 'same-security-traffic permit inter-interface"  I have added an ACL inbound on the interface allowing the desired traffic and inbound on the other for return traffic and it simply doesn't work.  

interface GigabitEthernet0/3.175

 vlan 175    

 nameif Test175

 security-level 30

 ip address 172.30.175.1 255.255.255.0

!

interface GigabitEthernet0/3.185

 vlan 185

 nameif Test185

 security-level 30

 ip address 172.30.185.1 255.255.255.0

!

access-list Test185 extended permit udp any host 172.20.175.52 eq ntp

access-group Test185 in interface Test185

!

access-list Test175 extended permit udp host 172.20.175.52 eq ntp any

access-group Test175 in interface Test175

  • Firewalling
Everyone's tags (1)
13 REPLIES
New Member

Re: Same security level interface ACL

Can you post your whole config? Need to look at your NAT policy

Sent from Cisco Technical Support iPhone App

New Member

Re: Same security level interface ACL

There is no NAT between the two.

New Member

Re: Same security level interface ACL

Hi,

may all of your LAN is PATed to the public IP(or interface). Then you should exclude NAT for the communication between these two interfaces.

Thanks

Vipin

Thanks and Regards, Vipin
New Member

Same security level interface ACL

Hi

Yes, may be NAT need to be disabled for the communication between these two interface.

Please post your configuration

Thanks and Regards, Vipin
New Member

Same security level interface ACL

If I move the source interface up a security level it works so it's not NAT related as the source interface has no NAT configurations.

New Member

Re: Same security level interface ACL

VPN# packet-tracer input JMSTest185 udp 172.30.85.10 123 172.30.175.52 123 det

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7b4060b0, priority=1, domain=permit, deny=false

        hits=2612, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=JMSTest185, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.30.175.0    255.255.255.0   JMS

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x79336a28, priority=11, domain=permit, deny=true

        hits=1365, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=JMSTest185, output_ifc=any

Result:

input-interface: JMSTest185

input-status: up

input-line-status: up

output-interface: JMS

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

VPN#

Bronze

Re: Same security level interface ACL

I notice in the packet tracer you used 172.30.85.10 as your source address but the interface uses 172.30.185.0/24.  Is this the correct host and if so, is there a route for the 172.30.85.X network on the JMSTest185 interface?

Is NAT control enabled?  With the 'same-security-traffic permit inter-interface' command in place, traffic should be allowed to traverse the two same-security interfaces without NAT (even if NAT control is enabled) as long as the correct access-list entries are in place. 

New Member

Re: Same security level interface ACL

Yes.  You are right.  But with the correct IP it still fails.

Phase: 3

Type: ACCESS-LIST

Subtype:     

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x79336a28, priority=11, domain=permit, deny=true

        hits=2837, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=JMSTest185, output_ifc=any

Cisco Employee

Same security level interface ACL

Hi,

The first rule to be hit will always be the same-security-traffic implicit rule. If you want to filter this you can do one of 2 things.

1-Lower one of the interfaces security levels and use ACLs to permit the traffic

2-Put the command same-security-traffic permit inter-interface and then filter the traffic between them using ACLs.

There is a third one, but is related to NAT and since you dont have nat configured it will be better to leave it as it is.

Mike.

Mike
1059
Views
0
Helpful
13
Replies
This widget could not be displayed.