https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/3811395#M347681 It can be applied globally only.<BR /> Thu, 28 Feb 2019 03:21:26 GMT Mohammed al Baqari 2019-02-28T03:21:26Z https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/2263662#M347674 <P>Asa 5525x with 9.1 code with multicontext<BR />Mode enabled<BR /><BR />I enabled traffic between interfaces with same security level on admin firewall context . This works but when I disable this feature and apply inbound ACLs to these same interfaces log indicates packets are being denied by implicit policy even though my acl permits this traffic<BR />Any clues to why this occurs ? Tried rebooting Asa after disabling same interface security level traffic to no avail.<BR /><BR />Thanks Team<BR /><BR />Scott</P> Tue, 12 Mar 2019 02:01:04 GMT https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/2263662#M347674 Scott Robertson 2019-03-12T02:01:04Z https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/2263663#M347675 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you have interfaces configured with same <STRONG>"security-level"</STRONG> value then the only way traffic can pass between them is if you have <STRONG>"same-security-traffic permit inter-interface"</STRONG> configuration enabled.</P><P></P><P>So even if you allow traffic with <STRONG>"access-list"</STRONG> configurations on the interfaces BUT you dont have the above configuration command enabled then traffic will still get blocked.</P><P></P><P>So you either have to configure <STRONG>"same-security-traffic permit inter-interface"</STRONG> OR you will have to change either interfaces <STRONG>"security-level"</STRONG> so they dont match.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 20 Jun 2013 15:49:43 GMT https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/2263663#M347675 Jouni Forss 2013-06-20T15:49:43Z https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/2263664#M347676 <HTML><HEAD></HEAD><BODY><P>So can/will Acl's control traffic on these interfaces with the same security level feature enabled and interfaces configured at same level or will all traffic be permitted regardless of ACL's if security levels are equal?<BR /><BR /><BR /><BR /><BR />Thank you!<BR /><BR /><BR /><BR /><BR /><BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Thu, 20 Jun 2013 16:14:43 GMT https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/2263664#M347676 Scott Robertson 2013-06-20T16:14:43Z https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/2263665#M347677 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you have <STRONG>"same-security-traffic permit inter-interface"</STRONG> configured and have 2 interfaces with same <STRONG>"security-level"</STRONG> value and you have <STRONG>"access-list"</STRONG> configured on both interfaces then the ACLs will handle the decision of what traffic is allowed and what is not.</P><P></P><P>In the above case you could consider the <STRONG>"same-security-traffic permit inter-interface"</STRONG> a kind of command that overcomes a default limitation of communication between interfaces with same <STRONG>"security-level"</STRONG> interfaces.</P><P></P><P>So basically when you have interface ACLs configured then they will decide which traffic is allowed even if you have the <STRONG>"same-security-traffic"</STRONG> configurations enabled</P><P><BR />Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please do remember to mark the reply as the correct answer if it answered your question.</P><P></P><P>Or ask more if needed.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 20 Jun 2013 16:21:58 GMT https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/2263665#M347677 Jouni Forss 2013-06-20T16:21:58Z https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/2263666#M347678 <HTML><HEAD></HEAD><BODY><P> Thank you Jouni !</P><P>I understand the logic at this point and appreciate your qucik responses.</P></BODY></HTML> Fri, 21 Jun 2013 13:23:54 GMT https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/2263666#M347678 Scott Robertson 2013-06-21T13:23:54Z https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/3811383#M347679 Thu, 28 Feb 2019 02:30:04 GMT https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/3811383#M347679 Ni2 2019-02-28T02:30:04Z https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/3811384#M347680 Thu, 28 Feb 2019 02:43:21 GMT https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/3811384#M347680 drlbaluyut 2019-02-28T02:43:21Z https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/3811395#M347681 It can be applied globally only.<BR /> Thu, 28 Feb 2019 03:21:26 GMT https://community.cisco.com/t5/network-security/asa-9-1-code-enable-traffic-between-interfaces-with-same/m-p/3811395#M347681 Mohammed al Baqari 2019-02-28T03:21:26Z