cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1765
Views
0
Helpful
13
Replies

Same security level interface ACL

ncowger
Level 1
Level 1

On a Cisco ASA 5520.  I have 2 interfaces that are the same security level. I need hosts on 1 of these interfaces to be able to get to a specific IP and port on the other but I DON'T want to blanket enable 'same-security-traffic permit inter-interface"  I have added an ACL inbound on the interface allowing the desired traffic and inbound on the other for return traffic and it simply doesn't work.  

interface GigabitEthernet0/3.175

 vlan 175    

 nameif Test175

 security-level 30

 ip address 172.30.175.1 255.255.255.0

!

interface GigabitEthernet0/3.185

 vlan 185

 nameif Test185

 security-level 30

 ip address 172.30.185.1 255.255.255.0

!

access-list Test185 extended permit udp any host 172.20.175.52 eq ntp

access-group Test185 in interface Test185

!

access-list Test175 extended permit udp host 172.20.175.52 eq ntp any

access-group Test175 in interface Test175

13 Replies 13

vabruno
Level 1
Level 1

Can you post your whole config? Need to look at your NAT policy

Sent from Cisco Technical Support iPhone App

There is no NAT between the two.

Hi,

may all of your LAN is PATed to the public IP(or interface). Then you should exclude NAT for the communication between these two interfaces.

Thanks

Vipin

Thanks and Regards, Vipin

vipinrajrc
Level 3
Level 3

Hi

Yes, may be NAT need to be disabled for the communication between these two interface.

Please post your configuration

Thanks and Regards, Vipin

If I move the source interface up a security level it works so it's not NAT related as the source interface has no NAT configurations.

VPN# packet-tracer input JMSTest185 udp 172.30.85.10 123 172.30.175.52 123 det

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7b4060b0, priority=1, domain=permit, deny=false

        hits=2612, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=JMSTest185, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.30.175.0    255.255.255.0   JMS

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x79336a28, priority=11, domain=permit, deny=true

        hits=1365, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=JMSTest185, output_ifc=any

Result:

input-interface: JMSTest185

input-status: up

input-line-status: up

output-interface: JMS

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

VPN#

I notice in the packet tracer you used 172.30.85.10 as your source address but the interface uses 172.30.185.0/24.  Is this the correct host and if so, is there a route for the 172.30.85.X network on the JMSTest185 interface?

Is NAT control enabled?  With the 'same-security-traffic permit inter-interface' command in place, traffic should be allowed to traverse the two same-security interfaces without NAT (even if NAT control is enabled) as long as the correct access-list entries are in place. 

Yes.  You are right.  But with the correct IP it still fails.

Phase: 3

Type: ACCESS-LIST

Subtype:     

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x79336a28, priority=11, domain=permit, deny=true

        hits=2837, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=JMSTest185, output_ifc=any

Hi,

The first rule to be hit will always be the same-security-traffic implicit rule. If you want to filter this you can do one of 2 things.

1-Lower one of the interfaces security levels and use ACLs to permit the traffic

2-Put the command same-security-traffic permit inter-interface and then filter the traffic between them using ACLs.

There is a third one, but is related to NAT and since you dont have nat configured it will be better to leave it as it is.

Mike.

Mike

So wait, is the packet-tracer output you provided with'same-security-traffic permit inter-interface' enabled?  The packet-tracer output is what I would expect to see without the command.  It has to be there if you want to leave the security levels the way they are.

I'm kinda suprised there isn't a way to allow the traffic via an ACL...  Thanks everyone for your input.

It is, but you will need to add the same security traffic first. That would be the first rule to be hitted, then what you need to do is to filter the rest with ACLs.

Mike.

Mike

mudjain
Level 1
Level 1

If you dont want an other host to communicate with any other IP on the same security level interface you can use ACL to limit this, and then use same security-level inter-interface command and life remains good, if I understand logic of not using  the command .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: