Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
2
Replies

same-security-traffic permit inter-interface required for P2P ASA's?

Go to solution
Dean Romanelli
Level 4
Level 4

‎10-03-2014 06:08 AM - edited ‎03-11-2019 09:51 PM

Hi All,

I have a business requirement to allow a 3rd party to install & manage a camera system at one of my branches, and the business decision was to put the cameras on a 2nd ASA, fed by the first ASA with both outside interfaces on the same vlan (i.e. no firewall control needed), as opposed to DMZing them on the main ASA.  Please refer to my network drawing attached for an easy view of what is set up.

I am unable to connect to my second ASA from the outside, despite SSH and HTTPS currently allowing 0.0.0.0 0.0.0.0 outside.  One thing I did notice in the 2nd (camera) ASA config is that I do not have the "same-security-traffic permit inter-interface" command implemented, but the link between the two ASA's is security-level 0 to security-level 0.  It's mu understanding that this is not permitted unless you allow it with the aforementioned command, but I am not sure if that only applies to inter-interfaces within a common ASA, or if it still applies with connecting two ASA's together with the same security-levels on each side of the link.

I suspect this is the issue, but before I call and have the site connect a console cable & give up one of their stations so I can reconfigure it, I wanted to get some feedback.  Anything you can provide is much appreciated.  Thanks.

 

Labels:
Preview file
128 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎10-03-2014 06:57 AM

You don't need this command in your setup. It's only needed if you have multiple Sec0 interfaces on the same ASA.

In your setup you are just using the internal switch of your first ASA to reach the second ASA. There is no more config needed on the first ASA then putting the switchport into VLan2.

Investigate the problem on ASA2:

  1. Is the Default-Gateway set to your provider-router?
  2. Can you ping ASA2 from ASA1 and/or an outside PC?
  3. Is the SSH setup correct? Can you connect to ASA2 from inside of ASA2?

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎10-03-2014 06:57 AM

You don't need this command in your setup. It's only needed if you have multiple Sec0 interfaces on the same ASA.

In your setup you are just using the internal switch of your first ASA to reach the second ASA. There is no more config needed on the first ASA then putting the switchport into VLan2.

Investigate the problem on ASA2:

  1. Is the Default-Gateway set to your provider-router?
  2. Can you ping ASA2 from ASA1 and/or an outside PC?
  3. Is the SSH setup correct? Can you connect to ASA2 from inside of ASA2?
0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Karsten Iwen

‎10-03-2014 07:28 AM

Hi Karsten,

Looks like the default route was pointing the wrong way.  Thanks for your input.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card