https://community.cisco.com/t5/network-security/asa-same-security-traffic-permit-inter-interface-vs-acl/m-p/2380789#M306463 <HTML><HEAD></HEAD><BODY><P>In the old days of the PIX it was a feature. If two interfaces have the same security-level, then they are separated and can't communicate with each other regardless what else is configured. Later when the FWSM was introduced it was possible to have Firewalls with more then 101 interfaces. A feature was needed to overwrite this functionality.&nbsp; This behavior is still valid, but of course we can disable this function with the mentioned command. So yes, the command has precedence over an ACL.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni" rel="nofollow">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Thu, 02 Jan 2014 09:10:27 GMT Karsten Iwen 2014-01-02T09:10:27Z https://community.cisco.com/t5/network-security/asa-same-security-traffic-permit-inter-interface-vs-acl/m-p/2380788#M306462 <P>Hi all.</P><P>I have ASA 5525 with subinterfaces for internal VLANs and one interface is connected to ISP and is NAT'ing internal networks with dynamic NAT. Also I have global ACL's which permit traffic between a part of vlans and deny traffic between another VLANs. Another option which is set on ASA is "<SPAN style="font-size: 10pt;">same-security-traffic permit inter-interface</SPAN><SPAN style="font-size: 10pt;">". In this case it seems that all is working good. But if I disable </SPAN><SPAN style="font-size: 10pt;">"same-security-traffic permit inter-interface" the traffic between internal subinterfaces (with the same security level) is not passing although an explicit ACL which permit traffic between these interfaces is configured in global. </SPAN></P><P><SPAN style="font-size: 10pt;">I was not able to find the documentation about ACL vs </SPAN><SPAN style="font-size: 10pt;">"same-security-traffic permit inter-interface", could somebody tell me - does </SPAN></P><P> "same-security-traffic permit inter-interface" <SPAN style="font-size: 10pt;"> have precedence over explicit ACL ?</SPAN></P> Tue, 12 Mar 2019 03:24:02 GMT https://community.cisco.com/t5/network-security/asa-same-security-traffic-permit-inter-interface-vs-acl/m-p/2380788#M306462 alexandru.cacean 2019-03-12T03:24:02Z https://community.cisco.com/t5/network-security/asa-same-security-traffic-permit-inter-interface-vs-acl/m-p/2380789#M306463 <HTML><HEAD></HEAD><BODY><P>In the old days of the PIX it was a feature. If two interfaces have the same security-level, then they are separated and can't communicate with each other regardless what else is configured. Later when the FWSM was introduced it was possible to have Firewalls with more then 101 interfaces. A feature was needed to overwrite this functionality.&nbsp; This behavior is still valid, but of course we can disable this function with the mentioned command. So yes, the command has precedence over an ACL.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni" rel="nofollow">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Thu, 02 Jan 2014 09:10:27 GMT https://community.cisco.com/t5/network-security/asa-same-security-traffic-permit-inter-interface-vs-acl/m-p/2380789#M306463 Karsten Iwen 2014-01-02T09:10:27Z https://community.cisco.com/t5/network-security/asa-same-security-traffic-permit-inter-interface-vs-acl/m-p/2380790#M306464 <HTML><HEAD></HEAD><BODY><P>thank you, but can you give me an link to detailed documentation ?</P></BODY></HTML> Thu, 02 Jan 2014 09:55:20 GMT https://community.cisco.com/t5/network-security/asa-same-security-traffic-permit-inter-interface-vs-acl/m-p/2380790#M306464 alexandru.cacean 2014-01-02T09:55:20Z https://community.cisco.com/t5/network-security/asa-same-security-traffic-permit-inter-interface-vs-acl/m-p/2380791#M306465 <HTML><HEAD></HEAD><BODY><P>nothing more then what is in the official documentation:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/interface_complete_routed.html#wp1325183">http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/interface_complete_routed.html#wp1325183</A></P><P></P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Thu, 02 Jan 2014 10:13:23 GMT https://community.cisco.com/t5/network-security/asa-same-security-traffic-permit-inter-interface-vs-acl/m-p/2380791#M306465 Karsten Iwen 2014-01-02T10:13:23Z https://community.cisco.com/t5/network-security/asa-same-security-traffic-permit-inter-interface-vs-acl/m-p/2380792#M306466 <HTML><HEAD></HEAD><BODY><P>thank you very much</P></BODY></HTML> Thu, 02 Jan 2014 10:29:19 GMT https://community.cisco.com/t5/network-security/asa-same-security-traffic-permit-inter-interface-vs-acl/m-p/2380792#M306466 alexandru.cacean 2014-01-02T10:29:19Z