topic Same security level interface ACL in Network Security

Same security level interface ACL

ncowger — Mon, 11 Mar 2019 21:49:27 GMT

On a Cisco ASA 5520. I have 2 interfaces that are the same security level. I need hosts on 1 of these interfaces to be able to get to a specific IP and port on the other but I DON'T want to blanket enable 'same-security-traffic permit inter-interface" I have added an ACL inbound on the interface allowing the desired traffic and inbound on the other for return traffic and it simply doesn't work.

interface GigabitEthernet0/3.175

vlan 175

nameif Test175

security-level 30

ip address 172.30.175.1 255.255.255.0

interface GigabitEthernet0/3.185

vlan 185

nameif Test185

security-level 30

ip address 172.30.185.1 255.255.255.0

access-list Test185 extended permit udp any host 172.20.175.52 eq ntp

access-group Test185 in interface Test185

access-list Test175 extended permit udp host 172.20.175.52 eq ntp any

access-group Test175 in interface Test175

Re: Same security level interface ACL

vabruno — Sat, 12 Nov 2011 04:25:32 GMT

Can you post your whole config? Need to look at your NAT policy

Sent from Cisco Technical Support iPhone App

Same security level interface ACL

vipinrajrc — Sat, 12 Nov 2011 04:32:28 GMT

Yes, may be NAT need to be disabled for the communication between these two interface.

Please post your configuration

Re: Same security level interface ACL

ncowger — Sat, 12 Nov 2011 04:32:30 GMT

There is no NAT between the two.

Same security level interface ACL

ncowger — Sat, 12 Nov 2011 04:36:13 GMT

If I move the source interface up a security level it works so it's not NAT related as the source interface has no NAT configurations.

Re: Same security level interface ACL

vipinrajrc — Sat, 12 Nov 2011 04:36:35 GMT

Hi,

may all of your LAN is PATed to the public IP(or interface). Then you should exclude NAT for the communication between these two interfaces.

Thanks

Vipin

Re: Same security level interface ACL

ncowger — Sat, 12 Nov 2011 04:42:34 GMT

VPN# packet-tracer input JMSTest185 udp 172.30.85.10 123 172.30.175.52 123 det

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7b4060b0, priority=1, domain=permit, deny=false

hits=2612, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=JMSTest185, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.30.175.0 255.255.255.0 JMS

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x79336a28, priority=11, domain=permit, deny=true

hits=1365, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=JMSTest185, output_ifc=any

Result:

input-interface: JMSTest185

input-status: up

input-line-status: up

output-interface: JMS

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

VPN#

Re: Same security level interface ACL

Patrick0711 — Mon, 14 Nov 2011 21:26:30 GMT

I notice in the packet tracer you used 172.30.85.10 as your source address but the interface uses 172.30.185.0/24. Is this the correct host and if so, is there a route for the 172.30.85.X network on the JMSTest185 interface?

Is NAT control enabled? With the 'same-security-traffic permit inter-interface' command in place, traffic should be allowed to traverse the two same-security interfaces without NAT (even if NAT control is enabled) as long as the correct access-list entries are in place.

Re: Same security level interface ACL

ncowger — Mon, 14 Nov 2011 21:33:34 GMT

Yes. You are right. But with the correct IP it still fails.

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x79336a28, priority=11, domain=permit, deny=true

hits=2837, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=JMSTest185, output_ifc=any

Same security level interface ACL

Maykol Rojas — Mon, 14 Nov 2011 21:51:31 GMT

Hi,

The first rule to be hit will always be the same-security-traffic implicit rule. If you want to filter this you can do one of 2 things.

1-Lower one of the interfaces security levels and use ACLs to permit the traffic

2-Put the command same-security-traffic permit inter-interface and then filter the traffic between them using ACLs.

There is a third one, but is related to NAT and since you dont have nat configured it will be better to leave it as it is.

Mike.

Re: Same security level interface ACL

Patrick0711 — Mon, 14 Nov 2011 21:52:23 GMT

So wait, is the packet-tracer output you provided with'same-security-traffic permit inter-interface' enabled? The packet-tracer output is what I would expect to see without the command. It has to be there if you want to leave the security levels the way they are.

Same security level interface ACL

ncowger — Mon, 14 Nov 2011 22:09:27 GMT

I'm kinda suprised there isn't a way to allow the traffic via an ACL... Thanks everyone for your input.

Same security level interface ACL

Maykol Rojas — Mon, 14 Nov 2011 23:28:55 GMT

It is, but you will need to add the same security traffic first. That would be the first rule to be hitted, then what you need to do is to filter the rest with ACLs.

Mike.

Same security level interface ACL

mudjain — Fri, 25 Nov 2011 18:08:46 GMT

If you dont want an other host to communicate with any other IP on the same security level interface you can use ACL to limit this, and then use same security-level inter-interface command and life remains good, if I understand logic of not using the command .