11-11-2011 07:59 PM - edited 03-11-2019 02:49 PM
On a Cisco ASA 5520. I have 2 interfaces that are the same security level. I need hosts on 1 of these interfaces to be able to get to a specific IP and port on the other but I DON'T want to blanket enable 'same-security-traffic permit inter-interface" I have added an ACL inbound on the interface allowing the desired traffic and inbound on the other for return traffic and it simply doesn't work.
interface GigabitEthernet0/3.175
vlan 175
nameif Test175
security-level 30
ip address 172.30.175.1 255.255.255.0
!
interface GigabitEthernet0/3.185
vlan 185
nameif Test185
security-level 30
ip address 172.30.185.1 255.255.255.0
!
access-list Test185 extended permit udp any host 172.20.175.52 eq ntp
access-group Test185 in interface Test185
!
access-list Test175 extended permit udp host 172.20.175.52 eq ntp any
access-group Test175 in interface Test175
11-11-2011 08:25 PM
Can you post your whole config? Need to look at your NAT policy
Sent from Cisco Technical Support iPhone App
11-11-2011 08:32 PM
There is no NAT between the two.
11-11-2011 08:36 PM
Hi,
may all of your LAN is PATed to the public IP(or interface). Then you should exclude NAT for the communication between these two interfaces.
Thanks
Vipin
11-11-2011 08:32 PM
Hi
Yes, may be NAT need to be disabled for the communication between these two interface.
Please post your configuration
11-11-2011 08:36 PM
If I move the source interface up a security level it works so it's not NAT related as the source interface has no NAT configurations.
11-11-2011 08:42 PM
VPN# packet-tracer input JMSTest185 udp 172.30.85.10 123 172.30.175.52 123 det
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7b4060b0, priority=1, domain=permit, deny=false
hits=2612, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=JMSTest185, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.30.175.0 255.255.255.0 JMS
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x79336a28, priority=11, domain=permit, deny=true
hits=1365, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=JMSTest185, output_ifc=any
Result:
input-interface: JMSTest185
input-status: up
input-line-status: up
output-interface: JMS
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
VPN#
11-14-2011 01:26 PM
I notice in the packet tracer you used 172.30.85.10 as your source address but the interface uses 172.30.185.0/24. Is this the correct host and if so, is there a route for the 172.30.85.X network on the JMSTest185 interface?
Is NAT control enabled? With the 'same-security-traffic permit inter-interface' command in place, traffic should be allowed to traverse the two same-security interfaces without NAT (even if NAT control is enabled) as long as the correct access-list entries are in place.
11-14-2011 01:33 PM
Yes. You are right. But with the correct IP it still fails.
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x79336a28, priority=11, domain=permit, deny=true
hits=2837, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=JMSTest185, output_ifc=any
11-14-2011 01:51 PM
Hi,
The first rule to be hit will always be the same-security-traffic implicit rule. If you want to filter this you can do one of 2 things.
1-Lower one of the interfaces security levels and use ACLs to permit the traffic
2-Put the command same-security-traffic permit inter-interface and then filter the traffic between them using ACLs.
There is a third one, but is related to NAT and since you dont have nat configured it will be better to leave it as it is.
Mike.
11-14-2011 01:52 PM
So wait, is the packet-tracer output you provided with'same-security-traffic permit inter-interface' enabled? The packet-tracer output is what I would expect to see without the command. It has to be there if you want to leave the security levels the way they are.
11-14-2011 02:09 PM
I'm kinda suprised there isn't a way to allow the traffic via an ACL... Thanks everyone for your input.
11-14-2011 03:28 PM
It is, but you will need to add the same security traffic first. That would be the first rule to be hitted, then what you need to do is to filter the rest with ACLs.
Mike.
11-25-2011 10:08 AM
If you dont want an other host to communicate with any other IP on the same security level interface you can use ACL to limit this, and then use same security-level inter-interface command and life remains good, if I understand logic of not using the command .
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: