https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383288#M749515 <HTML><HEAD></HEAD><BODY><P>Since you have ACLs both in and out, you will have to go through and verify that it's allowed through both.</P></BODY></HTML> Mon, 15 Feb 2010 14:14:46 GMT Collin Clark 2010-02-15T14:14:46Z https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383282#M749448 <P>I have an ASA, with the same security level in all inter<SPAN style="background-color: #f8fafd;">faces. I define an ACL in the interface <EM>A</EM>. When I origin a new connection from interface<EM> B</EM> to web server (in side of interface <EM>A</EM>) <EM>, </EM>If I try to deny this access in the ACL apply at the interface A, the ACL is not working well I don´t see any matchs but if I configure a capture I see the flow correctly.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Do you have any idea or what could be happens?</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">If you want more details, please let me know.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Thanks for your help.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Emilio&nbsp; Borbolla</SPAN></P> Mon, 11 Mar 2019 17:08:41 GMT https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383282#M749448 emilio.borbolla 2019-03-11T17:08:41Z https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383283#M749464 <HTML><HEAD></HEAD><BODY><P><SPAN style="background-color: #f8fafd;">Sorry, I forget to comment that, I am using&nbsp; "same-security-traffic permit inter-interface" command.</SPAN></P></BODY></HTML> Fri, 12 Feb 2010 19:23:55 GMT https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383283#M749464 emilio.borbolla 2010-02-12T19:23:55Z https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383284#M749475 <HTML><HEAD></HEAD><BODY><P>Can you post the relevant part of the ACL and the access-group configuration lines?</P></BODY></HTML> Fri, 12 Feb 2010 20:22:15 GMT https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383284#M749475 Collin Clark 2010-02-12T20:22:15Z https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383285#M749488 <HTML><HEAD></HEAD><BODY><P>The coneccion begins from IP 200.4.145.97 in R5 interface to IP 200.33.150.202, at the begin I undertand the syc pass, but the aswer should be dropp</P><P></P><P></P><P>interface Ethernet0<BR /> speed 100<BR /> duplex full<BR /> nameif R5<BR /> security-level 100<BR /> ip address 204.124.107.254 255.255.255.252<BR />!<BR />interface Ethernet1<BR /> speed 100<BR /> duplex full<BR /> nameif Reduno<BR /> security-level 100<BR /> ip address 10.105.191.81 255.255.255.248<BR />!<BR />access-list 110 line 1 extended permit ip 204.124.106.128 255.255.255.128 host 201.147.131.21<BR />access-list 110 line 2 extended permit ip 204.124.106.128 255.255.255.128 204.124.107.0 255.255.255.0 <BR />access-list 110 line 3 extended permit ip 204.124.106.128 255.255.255.128 204.124.104.240 255.255.255.248 <BR />access-list 110 line 4 extended permit ip 204.124.106.128 255.255.255.128 200.4.145.0 255.255.255.0 <BR />access-list 110 line 5 extended permit tcp host 200.4.155.230 204.124.104.240 255.255.255.248 <BR />access-list 110 line 6 extended permit tcp host 200.4.155.230 200.4.145.0 255.255.255.128 <BR />access-list 110 line 7 extended permit tcp host 200.33.150.202 204.124.104.240 255.255.255.248 <BR />access-list 110 line 8 extended deny tcp host 200.33.150.202 200.4.145.0 255.255.255.128 <BR />!<BR />access-group 110 in interface Reduno<BR />!<BR />access-list ebg line 1 extended permit ip host 200.33.150.202 200.4.145.0 255.255.255.128<BR />!<BR />!<BR />same-security-traffic permit inter-interface<BR />!<BR />!<BR />!<BR />FWPIX525-NOC# sh capture<BR />!<BR />!<BR />FWPIX525-NOC# sh capture captura<BR />643 packets captured<BR />&nbsp;&nbsp; 1: 16:38:21.925611 200.33.150.202.80 &gt; 200.4.145.97.1063: S 3203090713:3203090713(0) ack 2654701753 win 16384 <MSS 1380=""><BR />&nbsp;&nbsp; 2: 16:38:21.954052 200.33.150.202.80 &gt; 200.4.145.97.1063: P 3203090714:3203091080(366) ack 2654702155 win 65133<BR />&nbsp;&nbsp; 3: 16:38:21.990488 200.33.150.202.80 &gt; 200.4.145.97.1063: P 3203091080:3203091546(466) ack 2654702565 win 64723<BR />&nbsp;&nbsp; 4: 16:38:22.017821 200.33.150.202.80 &gt; 200.4.145.97.1063: . 3203091546:3203092806(1260) ack 2654702976 win 64312<BR />.....<BR />....<BR />....</MSS></P></BODY></HTML> Fri, 12 Feb 2010 20:38:31 GMT https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383285#M749488 emilio.borbolla 2010-02-12T20:38:31Z https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383286#M749501 <HTML><HEAD></HEAD><BODY><P>Can you please post the ACL assigned to R5? The access-group config line would help too.</P></BODY></HTML> Fri, 12 Feb 2010 20:43:34 GMT https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383286#M749501 Collin Clark 2010-02-12T20:43:34Z https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383287#M749508 <HTML><HEAD></HEAD><BODY><P>Thanks Clark,</P><P></P><P>I don´t remmember about the out ACL that I have in the Reduno interface, maybe my ACL should apply there...</P><P></P><P>access-group master in interface R5<BR />access-group 110 in interface Reduno<BR />access-group 105 out interface Reduno</P><P>!</P><P>access-list master extended permit ip any any</P><P>!</P><P>FWPIX525-NOC# sh run access-list 105<BR />access-list 105 extended permit ip 204.124.104.240 255.255.255.240 any<BR />access-list 105 extended permit ip 200.4.145.0 255.255.255.128 any<BR />access-list 105 extended permit ip 204.124.107.224 255.255.255.240 any<BR />access-list 105 extended permit ip host 201.147.131.21 any<BR />access-list 105 extended permit tcp host 204.124.107.131 204.124.106.0 255.255.255.0 eq ftp<BR />access-list 105 extended permit tcp host 204.124.107.131 204.124.106.0 255.255.255.0 eq ftp-data<BR />access-list 105 extended permit tcp host 204.124.107.131 200.4.155.0 255.255.255.0 eq ftp<BR />access-list 105 extended permit tcp host 204.124.107.131 200.4.155.0 255.255.255.0 eq ftp-data<BR />access-list 105 extended permit tcp host 204.124.107.131 200.4.157.0 255.255.255.0 eq ftp<BR />access-list 105 extended permit tcp host 204.124.107.131 200.4.157.0 255.255.255.0 eq ftp-data<BR />access-list 105 extended permit tcp host 204.124.107.131 200.33.137.0 255.255.255.0 eq ftp<BR />access-list 105 extended permit tcp host 204.124.107.131 200.33.137.0 255.255.255.0 eq ftp-data<BR />access-list 105 extended permit tcp host 204.124.107.131 200.33.150.0 255.255.255.0 eq ftp<BR />access-list 105 extended permit tcp host 204.124.107.131 200.33.150.0 255.255.255.0 eq ftp-data<BR />access-list 105 extended permit tcp host 204.124.107.133 host 192.100.183.178 eq ftp<BR />access-list 105 extended permit tcp host 204.124.107.133 host 192.100.183.178 eq ftp-data<BR />access-list 105 extended permit tcp host 204.124.107.133 host 192.100.183.178 eq telnet<BR />access-list 105 extended permit tcp host 204.124.107.133 host 192.100.183.178 gt 1024<BR />access-list 105 extended permit tcp host 204.124.107.133 host 192.100.183.178 eq smtp<BR />access-list 105 extended permit udp host 204.124.107.133 any eq domain<BR />access-list 105 extended permit udp host 204.124.107.133 any gt 1024<BR />access-list 105 extended permit tcp host 204.124.107.133 any gt 1024<BR />access-list 105 extended permit udp host 204.124.107.131 any eq domain<BR />access-list 105 extended permit udp host 204.124.107.131 any gt 1024<BR />access-list 105 extended permit tcp host 204.124.107.151 host 192.100.183.104 eq www<BR />access-list 105 extended permit tcp host 204.124.107.151 host 192.100.183.104 gt 1024<BR />access-list 105 extended permit tcp host 204.124.107.133 host 192.100.183.104 eq www<BR />access-list 105 extended permit tcp host 204.124.107.133 host 192.100.183.104 gt 1024<BR />access-list 105 extended permit tcp host 204.124.107.146 host 192.100.183.104 eq www<BR />access-list 105 extended permit tcp host 204.124.107.146 host 192.100.183.104 gt 1024<BR />access-list 105 extended permit tcp host 204.124.107.158 any eq smtp<BR />access-list 105 extended permit ip host 204.124.107.134 any<BR />access-list 105 extended permit ip host 204.124.107.35 any<BR />access-list 105 extended permit ip host 192.100.183.254 host 192.100.183.253<BR />access-list 105 extended permit ip 204.124.107.208 255.255.255.240 host 192.100.183.183<BR />access-list 105 extended permit ip 204.124.107.88 255.255.255.248 host 192.100.183.183<BR />access-list 105 extended permit ip 152.148.1.0 255.255.255.0 host 192.100.183.183<BR />access-list 105 extended permit ip host 204.124.107.139 host 192.100.183.183</P><P>access-list 105 extended permit ip host 204.124.107.141 host 192.100.183.183<BR />access-list 105 extended permit ip host 204.124.107.70 host 192.100.183.183<BR />access-list 105 extended permit ip host 204.124.107.148 host 192.100.183.183<BR />access-list 105 extended permit ip 172.28.1.0 255.255.255.0 host 192.100.183.183</P><P>access-list 105 extended permit ip 204.124.107.208 255.255.255.240 host 192.100.183.161<BR />access-list 105 extended permit ip 204.124.107.88 255.255.255.248 host 192.100.183.161<BR />access-list 105 extended permit ip 152.148.1.0 255.255.255.0 host 192.100.183.161<BR />access-list 105 extended permit ip host 204.124.107.139 host 192.100.183.161</P><P>access-list 105 extended permit ip host 204.124.107.141 host 192.100.183.161<BR />access-list 105 extended permit ip host 204.124.107.70 host 192.100.183.161<BR />access-list 105 extended permit ip host 204.124.107.148 host 192.100.183.161<BR />access-list 105 extended permit ip 172.28.1.0 255.255.255.0 host 192.100.183.161</P><P>access-list 105 extended permit tcp host 204.124.107.2 host 192.100.183.98<BR />access-list 105 extended permit tcp host 204.124.107.3 host 192.100.183.98<BR />access-list 105 extended permit tcp host 204.124.107.116 host 192.100.183.178 eq smtp<BR />access-list 105 extended deny ip 189.254.64.0 255.255.255.0 any<BR />access-list 105 extended deny ip any 192.100.183.176 255.255.255.240<BR />access-list 105 extended deny ip any 192.100.183.96 255.255.255.240<BR />access-list 105 extended deny ip any 192.100.183.32 255.255.255.240<BR />access-list 105 extended deny ip any host 200.4.157.56<BR />access-list 105 extended permit ip 152.148.1.0 255.255.255.0 172.30.38.0 255.255.255.0<BR />access-list 105 extended permit ip 152.148.1.0 255.255.255.0 10.254.3.0 255.255.255.0<BR />access-list 105 extended permit ip 152.148.1.0 255.255.255.0 host 212.179.43.225</P><P>access-list 105 extended permit ip 152.148.1.0 255.255.255.0 host 212.179.43.228</P><P>access-list 105 extended permit ip 204.124.107.0 255.255.255.0 any<BR />access-list 105 extended permit ip 172.28.1.0 255.255.255.0 any<BR />access-list 105 extended permit ip 172.16.1.0 255.255.255.0 any<BR />access-list 105 extended permit ip host 10.105.191.81 host 10.105.191.86<BR />FWPIX525-NOC#</P></BODY></HTML> Fri, 12 Feb 2010 22:31:10 GMT https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383287#M749508 emilio.borbolla 2010-02-12T22:31:10Z https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383288#M749515 <HTML><HEAD></HEAD><BODY><P>Since you have ACLs both in and out, you will have to go through and verify that it's allowed through both.</P></BODY></HTML> Mon, 15 Feb 2010 14:14:46 GMT https://community.cisco.com/t5/network-security/the-acl-doesn-t-work-with-the-same-security-level/m-p/1383288#M749515 Collin Clark 2010-02-15T14:14:46Z