https://community.cisco.com/t5/network-security/communication-between-same-security-levels-in-asa/m-p/1936890#M458279 <HTML><HEAD></HEAD><BODY><P>Hello Rakesh,</P><P></P><P>You already told us you have the&nbsp;&nbsp; permit inter-interface command and also nat control disabled.</P><P></P><P>You also told us you have the default setting on your asa so if that is true you should not have the inspection for the ICMP protocol.</P><P>Please add the following:</P><P>&nbsp;&nbsp;&nbsp;&nbsp; -fixup protocol icmp</P><P></P><P>Then give it a try:</P><P></P><P>Also provide the following:</P><P></P><P>packet-tracer input inside icmp 10.0.0.2 8 0 10.0.4.2 </P><P></P><P>Regards,</P><P></P><P><EM style="text-decoration: underline; ">Do rate all the helpful posts</EM></P><P></P><P>Julio</P></BODY></HTML> Mon, 12 Mar 2012 17:44:16 GMT Julio Carvajal 2012-03-12T17:44:16Z https://community.cisco.com/t5/network-security/communication-between-same-security-levels-in-asa/m-p/1936887#M458274 <P>Hi All,</P><P></P><P>I am facing communication issue between the same security level. I have created two security zones with same security level &amp; i have also configured the command same-security-traffic permit inter-interface &amp; nat-control is disabled by default. But i am not able to communicate between same security level.</P><P></P><P>when i have checked the logs using sh logging coomand following output will come:-</P><P></P><P></P><P>%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.28/14 gaddr 10.0.4.1/0 laddr 10.0.4.1/0</P><P>%ASA-6-110003: Routing failed to locate next hop for icmp from HR:10.0.4.1/0 to HR:10.0.0.28/0</P><P>%ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.28/14 gaddr 10.0.4.1/0 laddr 10.0.4.1/0</P><P>%ASA-3-219002: i2c_read_byte_w_suspend() error, slot = 0x4, device = 0xb0, address = 0x0, byte count = 1. Reason: I2C_SMBUS_UNSUPPORT</P><P></P><P>My ASA lab configuration:-</P><P></P><P>interface Ethernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address 2.2.2.1 255.255.255.252</P><P>!</P><P>interface Ethernet0/1</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Ethernet0/1.1</P><P> vlan 2</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.0.0.1 255.255.252.0</P><P>!</P><P>interface Ethernet0/1.2</P><P> vlan 3</P><P> nameif HR</P><P> security-level 100</P><P> ip address 10.0.4.1 255.255.252.0</P><P></P><P>rest configuration is default</P><P></P><P>Thanks </P> Mon, 11 Mar 2019 22:40:37 GMT https://community.cisco.com/t5/network-security/communication-between-same-security-levels-in-asa/m-p/1936887#M458274 rakeshjss123 2019-03-11T22:40:37Z https://community.cisco.com/t5/network-security/communication-between-same-security-levels-in-asa/m-p/1936888#M458275 <HTML><HEAD></HEAD><BODY><P>Just to be sure - I would configure a nat-exemption rule.</P></BODY></HTML> Mon, 12 Mar 2012 15:47:22 GMT https://community.cisco.com/t5/network-security/communication-between-same-security-levels-in-asa/m-p/1936888#M458275 andrew.prince 2012-03-12T15:47:22Z https://community.cisco.com/t5/network-security/communication-between-same-security-levels-in-asa/m-p/1936889#M458277 <HTML><HEAD></HEAD><BODY><P>You can also add the following commands to allow the same security interface to talk to each other:</P><P></P><P>same-security-traffic permit intra-interface</P><P></P><P>same-security-traffic permit inter-interface</P><P></P><P>Thanks and let us know.</P><P></P><P>Kimberly</P></BODY></HTML> Mon, 12 Mar 2012 16:57:13 GMT https://community.cisco.com/t5/network-security/communication-between-same-security-levels-in-asa/m-p/1936889#M458277 Kimberly Adams 2012-03-12T16:57:13Z https://community.cisco.com/t5/network-security/communication-between-same-security-levels-in-asa/m-p/1936890#M458279 <HTML><HEAD></HEAD><BODY><P>Hello Rakesh,</P><P></P><P>You already told us you have the&nbsp;&nbsp; permit inter-interface command and also nat control disabled.</P><P></P><P>You also told us you have the default setting on your asa so if that is true you should not have the inspection for the ICMP protocol.</P><P>Please add the following:</P><P>&nbsp;&nbsp;&nbsp;&nbsp; -fixup protocol icmp</P><P></P><P>Then give it a try:</P><P></P><P>Also provide the following:</P><P></P><P>packet-tracer input inside icmp 10.0.0.2 8 0 10.0.4.2 </P><P></P><P>Regards,</P><P></P><P><EM style="text-decoration: underline; ">Do rate all the helpful posts</EM></P><P></P><P>Julio</P></BODY></HTML> Mon, 12 Mar 2012 17:44:16 GMT https://community.cisco.com/t5/network-security/communication-between-same-security-levels-in-asa/m-p/1936890#M458279 Julio Carvajal 2012-03-12T17:44:16Z