same-security-traffic permit inter-interface required for P2P ASA's?
I have a business requirement to allow a 3rd party to install & manage a camera system at one of my branches, and the business decision was to put the cameras on a 2nd ASA, fed by the first ASA with both outside interfaces on the same vlan (i.e. no firewall control needed), as opposed to DMZing them on the main ASA. Please refer to my network drawing attached for an easy view of what is set up.
I am unable to connect to my second ASA from the outside, despite SSH and HTTPS currently allowing 0.0.0.0 0.0.0.0 outside. One thing I did notice in the 2nd (camera) ASA config is that I do not have the "same-security-traffic permit inter-interface" command implemented, but the link between the two ASA's is security-level 0 to security-level 0. It's mu understanding that this is not permitted unless you allow it with the aforementioned command, but I am not sure if that only applies to inter-interfaces within a common ASA, or if it still applies with connecting two ASA's together with the same security-levels on each side of the link.
I suspect this is the issue, but before I call and have the site connect a console cable & give up one of their stations so I can reconfigure it, I wanted to get some feedback. Anything you can provide is much appreciated. Thanks.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...