Since access-lists are applied to interfaces without regard to which interface the traffic is bound for, you should be able to apply access-list statements that act on traffic flowing between the two same-security-level interfaces.
That is, when the access-group command is applied to an interface, it acts on all traffic entering that interface, regardless of where it is destined.
Seemed to have changed ! Same security levels can talk in 7.1 PIX ASA code if the is an access-list.
But I have never used this in the field so I am not sure if that will work.
To diable NAT you need a NAT exemtion:
access-list NONAT (extended) permit ip any any
nat securitylevel0interface (0) access-list NONAT
Security Level Usage Guidelines:
The level controls the following behavior:
Network accessBy default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.
For same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower.
Inspection enginesSome inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.
NetBIOS inspection engineApplied only for outbound connections.
OraServ inspection engineIf a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.
FilteringHTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).
For same security interfaces, you can filter traffic in either direction.
NAT controlWhen you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).
Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.
established commandThis command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.
For same security interfaces, you can configure established commands for both directions.
Normally, interfaces on the same security level cannot communicate. If you want interfaces on the same security level to communicate, see the same-security-traffic command. You might want to assign two interfaces to the same level and allow them to communicate if you want to create more than 101 communicating interfaces, or you want protection features to be applied equally for traffic between two interfaces; for example, you have two departments that are equally secure.
If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...