topic Re: Hosts between two sub-interfaces that is using one physical interface of Cisco ASA cannot ping each other. in Network Security https://community.cisco.com/t5/network-security/hosts-between-two-sub-interfaces-that-is-using-one-physical/m-p/3804679#M6922 <P>Hi there,</P> <P>Try adding the following commands:</P> <PRE>! same-security-traffic permit inter-interface same-security-traffic permit intra-interface !</PRE> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html</A></P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> <P>&nbsp;</P> Tue, 19 Feb 2019 08:13:58 GMT Seb Rupik 2019-02-19T08:13:58Z Hosts between two sub-interfaces that is using one physical interface of Cisco ASA cannot ping each other. https://community.cisco.com/t5/network-security/hosts-between-two-sub-interfaces-that-is-using-one-physical/m-p/3804657#M6918 <P>Hi</P> <P>&nbsp;</P> <P>How can i permit ping between two hosts on a different subinterface using the same physical interface on cisco ASA? It is also using the same ACL.</P> <P>&nbsp;</P> <P>FW/pri/act# sh ip<BR />System IP Addresses:<BR />Interface Name IP address Subnet mask Method <BR />GigabitEthernet0/1.16 zon_ves 10.165.16.1 255.255.255.0 CONFIG<BR />GigabitEthernet0/1.28 zon_ves_2 10.165.28.1 255.255.255.0 manual</P> <P>&nbsp;</P> <P>interface GigabitEthernet0/1<BR /> no nameif<BR /> no security-level<BR /> no ip address</P> <P>&nbsp;</P> <P>interface GigabitEthernet0/1.16<BR /> vlan 16<BR /> nameif zon_ves<BR /> security-level 90<BR /> ip address 10.165.16.1 255.255.255.0 standby 10.165.16.2</P> <P>&nbsp;</P> <P>interface GigabitEthernet0/1.28<BR /> vlan 28<BR /> nameif zon_ves_2<BR /> security-level 90<BR /> ip address 10.165.28.1 255.255.255.0 standby 10.165.28.2</P> <P>&nbsp;</P> <P>access-group zon_ves_in in interface zon_ves</P> <P>access-group zon_ves_in in interface zon_ves_2</P> <P>&nbsp;</P> <P>FW# sh access-list zon_ves_in | i icmp<BR />access-list zon_ves_in line 1 extended permit icmp any any (hitcnt=13248083)</P> <P>&nbsp;</P> <P>FW# packet-tracer input zon_ves icmp 10.165.16.10 1 1 10.165.28.10</P> <P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P> <P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 10.165.28.10 using egress ifc zon_ves_2</P> <P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: <BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR /> <BR />Result:<BR />input-interface: zon_ves<BR />input-status: up<BR />input-line-status: up<BR />output-interface: zon_ves_2<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Fri, 21 Feb 2020 16:49:57 GMT https://community.cisco.com/t5/network-security/hosts-between-two-sub-interfaces-that-is-using-one-physical/m-p/3804657#M6918 drlbaluyut 2020-02-21T16:49:57Z Re: Hosts between two sub-interfaces that is using one physical interface of Cisco ASA cannot ping each other. https://community.cisco.com/t5/network-security/hosts-between-two-sub-interfaces-that-is-using-one-physical/m-p/3804679#M6922 <P>Hi there,</P> <P>Try adding the following commands:</P> <PRE>! same-security-traffic permit inter-interface same-security-traffic permit intra-interface !</PRE> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html</A></P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> <P>&nbsp;</P> Tue, 19 Feb 2019 08:13:58 GMT https://community.cisco.com/t5/network-security/hosts-between-two-sub-interfaces-that-is-using-one-physical/m-p/3804679#M6922 Seb Rupik 2019-02-19T08:13:58Z