Hello all,

I have an ASA 5505 firewall connected by a  trunk port to a Catalyst 2960. Vlans have been configured and assigned  to interfaces on the firewall, and trunk ports configured on both the  firewall and the switch. I believe it's configured correctly, because  the switch sees the vlans I configured from the firewall.

I  also have two windows computers, each connected to switchports  confgured for two of the vlans. I can ping the gateway interface (the IP  assigned to the vlan at the firewall) successfully from either host. These hosts are located on the soa net, as 192.168.150.100 on switchport 1 and it-dev net, as 192.168.200.100 on switchport 15. Both host's firewalls are turned off.

Thinking I'd configured everything correctly, I  attempted to send pings from one host to another, expecting to see deny  messages in the live log. Strangely, one of the hosts gets deny  messages, and the other gets no deny and the connection shows as opened, but niether host received a reply. Same-security inter and  infra-interface is enabled. Even when I create global ICMP rules on the  firewall or create ICMP ACL's assigned to the destination interface,  this behavior persists.

I also tried telnetting to port 445 from each host to  the other, and the host that had it's ping connection opened was able to  connect, and the other simply got deny messages.

With  same-security inter-interface disabled, either host attempting to  telnet to the other generates an "Inbound TCP connection denied..."  message in the live log.

The questions I have are:

1.  Is enabling same-security inter-interface supposed to be a blanket  allow for inter-vlan communication when trunked like this is?

2.  Why would one interface, when both interfaces are vlans assigned to the  same physical interface and configured the same, be allowed to create  connections on the firewall and another not?

3. Why when can I not get a reply back for the connections that are opened?

3. Why would ICMP rules still not allow the traffic through?

I've  included the configs for the firewall and the switch. I would really  appreciate any help, since I've been banging away at this for days and  can't figure out what's wrong with this setup.

ASA Version 8.2(3)
!
hostname officefw1
enable password XXXX encrypted
passwd XXXX encrypted
names
dns-guard
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 50
!
interface Ethernet0/2
 switchport trunk allowed vlan 100,125,150,200
 switchport trunk native vlan 999
 switchport mode trunk
!
interface Ethernet0/3
 switchport access vlan 250
!
interface Ethernet0/4
 switchport access vlan 251
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 shutdown
 nameif inside
 security-level 100
 no ip address
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan50
 nameif dmz
 security-level 10
 ip address 192.158.50.1 255.255.255.0
!
interface Vlan100
 nameif infrastructure
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan125
 nameif voip
 security-level 100
 ip address 192.168.125.1 255.255.255.0
!
interface Vlan150
 nameif soa
 security-level 100
 ip address 192.168.150.1 255.255.255.0
!
interface Vlan200
 nameif it-dev
 security-level 100
 ip address 192.168.200.1 255.255.255.0
!
interface Vlan250
 nameif systems
 security-level 100
 ip address 192.168.250.1 255.255.255.0
!
interface Vlan251
 nameif management
 security-level 100
 ip address 192.168.251.1 255.255.255.0
!
interface Vlan999
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns domain-lookup management
dns domain-lookup systems
dns domain-lookup infrastructure
dns domain-lookup voip
dns domain-lookup soa
dns domain-lookup it-dev
dns server-group DefaultDNS
 name-server 68.105.28.12
 name-server 68.105.29.11
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service test445 tcp
 port-object eq 445
access-list it-dev_access_in extended permit icmp any any inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu systems 1500
mtu dmz 1500
mtu infrastructure 1500
mtu voip 1500
mtu soa 1500
mtu it-dev 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group it-dev_access_in in interface it-dev
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.251.0 255.255.255.0 management
http 192.168.250.0 255.255.255.0 systems
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.250.0 255.255.255.0 systems
telnet timeout 5
ssh 192.168.250.0 255.255.255.0 systems
ssh timeout 5
console timeout 0
management-access management
dhcpd auto_config outside
!
dhcpd address 192.168.125.10-192.168.125.30 voip
dhcpd dns 68.15.28.11 68.105.29.12 interface voip
dhcpd enable voip
!
dhcpd address 192.168.150.10-192.168.150.30 soa
dhcpd dns 68.105.28.12 68.105.29.11 interface soa
dhcpd enable soa
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 198.123.30.132 source outside prefer
webvpn
 anyconnect-essentials
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

version 12.2
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname officesw1
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXX
!
!
!
no aaa new-model
switch 1 provision ws-c2960s-24ts-l
authentication mac-move permit
ip subnet-zero
!
!
!
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
 enrollment selfsigned
 serial-number
 revocation-check none
 rsakeypair HTTPS_SS_CERT_KEYPAIR
!
!
crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR
 certificate self-signed 01
  <snipped for space>
  quit
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
 ip address 192.168.251.10 255.255.255.0
!
interface GigabitEthernet1/0/1
 switchport access vlan 150
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 switchport access vlan 150
 spanning-tree portfast
!
interface GigabitEthernet1/0/3
 switchport access vlan 150
 spanning-tree portfast
!
interface GigabitEthernet1/0/4
 switchport access vlan 150
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 switchport access vlan 150
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 switchport access vlan 150
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 switchport access vlan 150
 spanning-tree portfast
!
interface GigabitEthernet1/0/8
 switchport access vlan 150
 spanning-tree portfast
!
interface GigabitEthernet1/0/9
 switchport access vlan 150
 spanning-tree portfast
!
interface GigabitEthernet1/0/10
 switchport access vlan 150
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
 switchport access vlan 150
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 switchport access vlan 150
 spanning-tree portfast
!
interface GigabitEthernet1/0/13
 switchport access vlan 150
 spanning-tree portfast
!
interface GigabitEthernet1/0/14
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/0/15
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/0/16
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/0/17
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/0/18
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/0/19
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/0/20
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/0/21
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
 switchport trunk native vlan 999
 switchport trunk allowed vlan 100,125,150,200
 switchport mode trunk
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan150
 no ip address
!
interface Vlan200
 no ip address
!
no ip http server
ip http secure-server
ip sla enable reaction-alerts
!
!
line con 0
line vty 0 4
 password 7 XXXX
 login
line vty 5 15
 password 7 XXXX
 login
!
end