Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

same-security-traffic permit inter-interface required for P2P ASA's?

Hi All,

I have a business requirement to allow a 3rd party to install & manage a camera system at one of my branches, and the business decision was to put the cameras on a 2nd ASA, fed by the first ASA with both outside interfaces on the same vlan (i.e. no firewall control needed), as opposed to DMZing them on the main ASA.  Please refer to my network drawing attached for an easy view of what is set up.

I am unable to connect to my second ASA from the outside, despite SSH and HTTPS currently allowing 0.0.0.0 0.0.0.0 outside.  One thing I did notice in the 2nd (camera) ASA config is that I do not have the "same-security-traffic permit inter-interface" command implemented, but the link between the two ASA's is security-level 0 to security-level 0.  It's mu understanding that this is not permitted unless you allow it with the aforementioned command, but I am not sure if that only applies to inter-interfaces within a common ASA, or if it still applies with connecting two ASA's together with the same security-levels on each side of the link.

I suspect this is the issue, but before I call and have the site connect a console cable & give up one of their stations so I can reconfigure it, I wanted to get some feedback.  Anything you can provide is much appreciated.  Thanks.

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

You don't need this command

You don't need this command in your setup. It's only needed if you have multiple Sec0 interfaces on the same ASA.

In your setup you are just using the internal switch of your first ASA to reach the second ASA. There is no more config needed on the first ASA then putting the switchport into VLan2.

Investigate the problem on ASA2:

  1. Is the Default-Gateway set to your provider-router?
  2. Can you ping ASA2 from ASA1 and/or an outside PC?
  3. Is the SSH setup correct? Can you connect to ASA2 from inside of ASA2?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
2 REPLIES
VIP Purple

You don't need this command

You don't need this command in your setup. It's only needed if you have multiple Sec0 interfaces on the same ASA.

In your setup you are just using the internal switch of your first ASA to reach the second ASA. There is no more config needed on the first ASA then putting the switchport into VLan2.

Investigate the problem on ASA2:

  1. Is the Default-Gateway set to your provider-router?
  2. Can you ping ASA2 from ASA1 and/or an outside PC?
  3. Is the SSH setup correct? Can you connect to ASA2 from inside of ASA2?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Hi Karsten,Looks like the

Hi Karsten,

Looks like the default route was pointing the wrong way.  Thanks for your input.

36
Views
0
Helpful
2
Replies