https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392596#M703779 <HTML><HEAD></HEAD><BODY><P>It's not possible to use ACL's if you remove the same-security command. Traffic will be dropped before ACL checks and you'll get a drop in your log.</P><P></P><P>To make this work you'll need the command or change your security levels. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Thu, 08 Apr 2010 21:14:32 GMT Kent Heide 2010-04-08T21:14:32Z https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392592#M703775 <P>Hello,</P><P></P><P>I have two insternal interfaces that I have the security level set to 100 and didn't need to route between them until now.</P><P>At this time I need to route to a single host for MySQL port 3306 and I can not get it to work.</P><P>Can any one please help.</P><P></P><P>Gary.</P> Mon, 11 Mar 2019 17:30:12 GMT https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392592#M703775 pronet_cisco 2019-03-11T17:30:12Z https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392593#M703776 <HTML><HEAD></HEAD><BODY><P>You need static NAT between the 2 interfaces and also "same-security-traffic permit inter-interface" command.</P><P></P><P>For example:</P><P>Internal interface 1 is named "inside": 192.168.1.0/24</P><P>Internal interface 2 is named "inside-2": 192.168.5.0/24</P><P></P><P>static (inside,inside-2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0</P><P>same-security-traffic permit inter-interface</P><P></P><P>The static translation is bidirectional, so you don't need to configure the reverse static statement.</P><P></P><P>Hope that helps.</P></BODY></HTML> Thu, 08 Apr 2010 09:04:43 GMT https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392593#M703776 Jennifer Halim 2010-04-08T09:04:43Z https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392594#M703777 <HTML><HEAD></HEAD><BODY><P>I already have "same-security-traffic permit inter-interface"running.</P><P>All inside interfaces are communicating without any static NAT.</P><P>I want to remove "same-security-traffic permit inter-interface" so they don't communicate and then allow one IP from inside interface 3 to connect to 2 hosts on inside interface 1.</P><P>Is this possible to do?</P><P></P><P>Gary</P></BODY></HTML> Thu, 08 Apr 2010 20:13:10 GMT https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392594#M703777 pronet_cisco 2010-04-08T20:13:10Z https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392595#M703778 <HTML><HEAD></HEAD><BODY><P>If in1 and int3 are of same security level you will need the "same security" command, you can't avoid it.</P><P>If not then you can use ACLs and/or translations to go from int1 to int 3 and vice versa.</P><P></P><P>I hope it helps.</P><P></P><P>PK</P></BODY></HTML> Thu, 08 Apr 2010 21:06:46 GMT https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392595#M703778 Panos Kampanakis 2010-04-08T21:06:46Z https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392596#M703779 <HTML><HEAD></HEAD><BODY><P>It's not possible to use ACL's if you remove the same-security command. Traffic will be dropped before ACL checks and you'll get a drop in your log.</P><P></P><P>To make this work you'll need the command or change your security levels. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Thu, 08 Apr 2010 21:14:32 GMT https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392596#M703779 Kent Heide 2010-04-08T21:14:32Z https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392597#M703780 <HTML><HEAD></HEAD><BODY><P>So how can i leave the same security command in but then stop traffic between the two interfaces and only allow</P><P>port 3306 on 2 hosts for interface 1 from one host coming in from&nbsp; interface 3.</P><P>Because at this time with same security command everything is routing to each other just fine. I don't want that.</P><P></P><P>Hope this is clear enough.</P><P></P><P>Thanks,</P><P>Gary</P></BODY></HTML> Thu, 08 Apr 2010 21:51:05 GMT https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392597#M703780 pronet_cisco 2010-04-08T21:51:05Z https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392598#M703781 <HTML><HEAD></HEAD><BODY><P>You an sue ACLs to allow only the traffic that you want.</P><P>"same seurity inter" should not be used to deny traffic.</P><P>ACLs are for that purpose.</P><P></P><P>I hope it helps.</P><P></P><P>PK</P></BODY></HTML> Fri, 09 Apr 2010 00:21:57 GMT https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392598#M703781 Panos Kampanakis 2010-04-09T00:21:57Z https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392599#M703782 <HTML><HEAD></HEAD><BODY><P> Pls. review both these links:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1061479">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1061479</A></P><P></P><P>and</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wpxref77088">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wpxref77088</A></P><P></P><P><SPAN class="content">NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired. However, if you configure dynamic NAT when NAT control is enabled, then NAT is required. See <A href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html#wpxref11234" onclick=""><SPAN class="cXRef_Color" style="font-weight: normal;">Chapter 27, "Configuring NAT Control,"</SPAN></A> for more information. Also, when you specify a group of IP addresses for dynamic NAT or PAT on a same security interface, then you must perform NAT on that group of addresses when they access any lower or same security level interface (even when NAT control is not enabled). Traffic identified for static NAT is not affected. </SPAN></P><P></P><P><SPAN class="content">•<IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="19" />You want traffic to flow freely between all same security interfaces without access lists. </SPAN></P><P></P><P>With that said, same security traffic will flow freely wtihout any nat or access-list.&nbsp; If you want to restric this, then you need to change one interface's security level to something else and provide translation just for that one host appropriately. Once done, you can remove the same security command if you do not have any more same security interfaces.</P><P></P><P>-KS</P></BODY></HTML> Fri, 09 Apr 2010 00:22:36 GMT https://community.cisco.com/t5/network-security/asa-5520-routing-between-interfaces/m-p/1392599#M703782 Kureli Sankar 2010-04-09T00:22:36Z