https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002664#M918866 <HTML><HEAD></HEAD><BODY><P>Here is what I think <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P> If you have an exempt NAT statement applied to interface inside and contains source as inside and destination as dmz, this effects traffic originated from both inside and dmz. I mean once you apply correct exempt NAT to inside that will take care of bot inside-&gt;dmz and dmz-&gt;inside. You dont need one applied to dmz. </P><P> Then how did it resolve the issue? Here are my theories.</P><P> 1) Brian was testing the connectivity with ping which is not a good way when it is a firewall device that sees ICMP a possible dos attack and denies by default. And brian's outside_access_in ACL which permits ICMP was not applied to outside interface with access-group command. ICMP inspection did the trick. But this theory can not explain the translation error logs</P><P> 2) Brian was hitting CSCsd90140 or another one which prevented inside exempt nat to operate correctly. An exempt nat applied to dmz interface, which is actually not necessary under normal circumstances, did operate normally and did what inside exempt nat couldnt.</P><P></P><P>Any thoughts?</P><P>But glad that issue is resolved.</P></BODY></HTML> Fri, 06 Jun 2008 14:10:03 GMT Alan Huseyin Kayahan 2008-06-06T14:10:03Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002636#M918838 <P>Guys, need help to allow traffic between two interfaces that have the same security level. I have already enabled the "same-security-traffic permit inter-interface" command but still i cant ping my switch or server on the other vlan...</P><P></P><P>what else do i need to do to accomplish this task? ACL are on defaults as of now...</P> Mon, 11 Mar 2019 12:55:51 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002636#M918838 brianbono 2019-03-11T12:55:51Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002637#M918839 <HTML><HEAD></HEAD><BODY><P>Which version are you running, is nat-control off or on?</P><P></P><P>show run nat-control</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 05 Jun 2008 18:12:06 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002637#M918839 Farrukh Haroon 2008-06-05T18:12:06Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002638#M918840 <HTML><HEAD></HEAD><BODY><P>nat-control is not enabled and I am running 7.0 (7)</P><P></P><P>what could be missing?</P></BODY></HTML> Thu, 05 Jun 2008 18:18:22 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002638#M918840 brianbono 2008-06-05T18:18:22Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002639#M918841 <HTML><HEAD></HEAD><BODY><P>Do you have any nat statements (dynamic or static) between those two interfaces?</P></BODY></HTML> Thu, 05 Jun 2008 18:25:44 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002639#M918841 srue 2008-06-05T18:25:44Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002640#M918842 <HTML><HEAD></HEAD><BODY><P>Just run the packet-tracer command, it should tell you whats going wrong. If possible post the output here.</P><P></P><P>assuming you are going from inside1 to inside2</P><P></P><P>inside1 = 136.1.1.0 /25</P><P>inside2 = 136.1.2.0 /25</P><P></P><P>packet-tracer input inside1 tcp 136.1.1.3</P><P>11005 136.1.2.100 80 detailed</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 05 Jun 2008 18:28:30 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002640#M918842 Farrukh Haroon 2008-06-05T18:28:30Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002641#M918843 <HTML><HEAD></HEAD><BODY><P>part of my config below:</P><P></P><P>interface Ethernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address 123.123.123.2 255.255.255.24</P><P>!</P><P>interface Ethernet0/1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 172.19.20.40 255.255.255.0</P><P>!</P><P>interface Ethernet0/2</P><P> nameif insidevoice</P><P> security-level 100</P><P> ip address 172.19.21.40 255.255.255.0</P><P></P><P>same-security-traffic permit inter-interface</P><P>access-list outside_access_in extended permit icmp any any</P><P>access-list outside_access_in_V1 extended permit icmp any 172.19.21.0 255.255.255.0</P><P></P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list nonat</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>nat (insidevoice) 1 0.0.0.0 0.0.0.0</P><P>access-group outside_access_in_V1 in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 123.123.123.1 1</P><P></P><P>also, im confused because I cant seem to connect to the internet if I am on the insidevoice network. </P><P></P><P>Please help.</P></BODY></HTML> Thu, 05 Jun 2008 18:39:22 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002641#M918843 brianbono 2008-06-05T18:39:22Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002642#M918844 <HTML><HEAD></HEAD><BODY><P>Can you also post the 'nonat' access-list?</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 05 Jun 2008 18:48:15 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002642#M918844 Farrukh Haroon 2008-06-05T18:48:15Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002643#M918845 <HTML><HEAD></HEAD><BODY><P>access-list nonat extended permit ip 172.19.20.0 255.255.255.0 192.168.100.0 255.255.255.0</P><P>access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.25.0.0 255.255.0.0</P><P>access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.22.0.0 255.255.0.0</P><P>access-list nonat extended permit ip 172.19.20.0 255.255.255.0 192.0.0.0 255.255.255.0</P><P>access-list tozzz extended permit ip 172.19.20.0 255.255.255.0 172.25.0.0 255.255.0.0</P><P>access-list toxxx extended permit ip 172.19.20.0 255.255.255.0 172.22.0.0 255.255.0.0</P><P>access-list toccc extended permit ip 172.19.20.0 255.255.255.0 192.0.0.0 255.255.255.0</P><P>access-list qw extended permit ip 172.19.20.0 255.255.255.0 172.19.200.0 255.255.255.0</P><P>access-list qw extended permit ip 172.19.200.0 255.255.255.0 172.19.20.0 255.255.255.0</P><P>access-list outside_access_in_V1 extended permit icmp any 172.19.21.0 255.255.255.0</P><P></P></BODY></HTML> Thu, 05 Jun 2008 18:53:31 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002643#M918845 brianbono 2008-06-05T18:53:31Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002644#M918846 <HTML><HEAD></HEAD><BODY><P>Ok first of all, for 'inside' to communicate with 'insidevoice', you need to add the following line in your nonat ACL</P><P></P><P>access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.19.21.0 255.255.0.0 </P><P></P><P>Or if you want to NAT/PAT this traffic, something like</P><P></P><P>global (insidevoice) 1 interface</P><P></P><P>Once you enable any sort of dynamic NAT / PAT, 'no nat-control' rule no longer applies for that zone, now all traffic between this zone and any other zone either requires NAT rules or NAT exemption.</P><P></P><P>As to why insidevoice cannot access Internet, please run the packet-tracer command I gave you before, it seems OK to me....</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 05 Jun 2008 19:18:17 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002644#M918846 Farrukh Haroon 2008-06-05T19:18:17Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002645#M918847 <HTML><HEAD></HEAD><BODY><P>tried to add the suggested:</P><P>access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.19.21.0 255.255.255.0 </P><P></P><P>but still I cant communicate with the other VLAN.</P><P></P><P>Appreciate all your help... any other suggestions?</P></BODY></HTML> Thu, 05 Jun 2008 19:29:20 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002645#M918847 brianbono 2008-06-05T19:29:20Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002646#M918848 <HTML><HEAD></HEAD><BODY><P>yes. packet-tracer with the 'detailed' keyword:)</P><P></P><P>Also make sure you do a 'clear local-host' and 'clear xlate' after making any NAT changes.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 05 Jun 2008 19:30:50 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002646#M918848 Farrukh Haroon 2008-06-05T19:30:50Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002647#M918849 <HTML><HEAD></HEAD><BODY><P>anybody else has a suggestion?</P></BODY></HTML> Fri, 06 Jun 2008 08:08:58 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002647#M918849 brianbono 2008-06-06T08:08:58Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002648#M918850 <HTML><HEAD></HEAD><BODY><P>I just ran some debugs and this was one of the things that caught my eye:</P><P></P><P>No translation group found for icmp src inside:172.19.20.19 dst insidevoice:172.19.21.21 (type 8, code 0)</P><P></P><P>what do i need to add on NAT to make sure 172.19.20.x can communicate to 172.19.21.x considering both have the same security level and that the "same-security-traffic permit inter-interface" is already enabled yet I can't communicate...</P><P></P><P>please advise..</P></BODY></HTML> Fri, 06 Jun 2008 08:41:53 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002648#M918850 brianbono 2008-06-06T08:41:53Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002649#M918851 <HTML><HEAD></HEAD><BODY><P>As I mentioned before, you can use:</P><P></P><P>Ok first of all, for 'inside' to communicate with 'insidevoice', you need to add the following line in your nonat ACL</P><P></P><P>(NAT Exemption):</P><P>access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.19.21.0 255.255.255.0 (I gave wrong mask earlier)</P><P></P><P>Or if you want to NAT/PAT this traffic, something like</P><P></P><P>(Dynamic NAT):</P><P>global (insidevoice) 1 interface </P><P></P><P>You can also use: </P><P></P><P>(Identity Static)</P><P>static (inside,insidevoice) 172.19.20.0 172.19.20.0 netmask 255.255.255.0</P><P></P><P>Try any three, if one does not work for some reason (which is strange, try the other).</P><P></P><P>BTW, why don't you post packet-tracer output? You have something personal against the command? This is *THIRD TIME* I'm requesting you to do it......</P><P></P><P>packter-tracer input inside icmp 172.19.20.19 8 0 172.19.21.21 detailed</P><P></P><P>See even Cisco is using it, it won't hurt <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml</A></P><P></P><P>Regards</P><P></P><P>Farrukh</P><P></P><P></P><P></P></BODY></HTML> Fri, 06 Jun 2008 09:53:14 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002649#M918851 Farrukh Haroon 2008-06-06T09:53:14Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002650#M918852 <HTML><HEAD></HEAD><BODY><P>Once you enable dynamic nat on one of those interfaces, it's as if the same-security traffic command wasn't even entered because of the nat. In your case, the ASA is behaving as expected.</P><P>By default, you do not need to do NAT between same-security level interfaces, even if nat-control is enabled.</P><P>however, you do need to configure nat rules if you define dynamic NAT for either of the same-security level interfaces.</P></BODY></HTML> Fri, 06 Jun 2008 11:50:05 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002650#M918852 srue 2008-06-06T11:50:05Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002651#M918853 <HTML><HEAD></HEAD><BODY><P>I have tried your three suggested solutions but to no avail. I have also tried the packet-tracer but had this error:</P><P></P><P>ASA# packet-tracer input inside icmp 172.19.20.19 8 0 172.19.21.21 detailed</P><P></P><P>packet-tracer input inside icmp 172.19.20.19 8 0 172.19.21.21 detailed</P><P> ^</P><P>ERROR: % Invalid input detected at '^' marker.</P><P></P><P>I got this log for the ASA below:</P><P></P><P>3|Jun 06 2008 02:34:40|305005: No translation group found for icmp src inside:172.19.20.19 dst insidevoice:172.19.21.21 (type 8, code 0)</P><P></P><P>Please help...</P><P></P><P>appreciate all your help Farrukh <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Fri, 06 Jun 2008 11:52:46 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002651#M918853 brianbono 2008-06-06T11:52:46Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002652#M918854 <HTML><HEAD></HEAD><BODY><P>Hi Brian</P><P> Run "clear xlate" after applying NAT statements.</P><P> Please post your full sanitized config and let us see.</P><P></P><P>Regards</P></BODY></HTML> Fri, 06 Jun 2008 12:15:13 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002652#M918854 Alan Huseyin Kayahan 2008-06-06T12:15:13Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002653#M918855 <HTML><HEAD></HEAD><BODY><P>Hrm, are you running ASA 7.2.x or higher? packet-tracer is only supported on 7.2(1) and later?</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 06 Jun 2008 12:17:15 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002653#M918855 Farrukh Haroon 2008-06-06T12:17:15Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002654#M918856 <HTML><HEAD></HEAD><BODY><P>the OP is running 7.0(7).</P><P>he needs to post a sanitized config at this point so we can see everythign that's going on.</P></BODY></HTML> Fri, 06 Jun 2008 12:53:31 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002654#M918856 srue 2008-06-06T12:53:31Z https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002655#M918857 <HTML><HEAD></HEAD><BODY><P>ASA# sh run</P><P>: Saved</P><P>:</P><P>ASA Version 7.0(7)</P><P>!</P><P>hostname ASA</P><P>domain-name abc.com</P><P>names</P><P>dns-guard</P><P>!</P><P>interface Ethernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address 123.123.123.2 255.255.255.240</P><P>!</P><P>interface Ethernet0/1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 172.19.20.40 255.255.255.0</P><P>!</P><P>interface Ethernet0/2</P><P> nameif insidevoice</P><P> security-level 100</P><P> ip address 172.19.21.40 255.255.255.0</P><P>!</P><P>interface Management0/0</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P> management-only</P><P>!</P><P>ftp mode passive</P><P>same-security-traffic permit inter-interface</P><P>access-list outside_access_in extended permit icmp any any</P><P>access-list nonat extended permit ip 172.19.20.0 255.255.255.0 192.168.100.0 255.255.255.0</P><P>access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.25.0.0 255.255.0.0</P><P>access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.22.0.0 255.255.0.0</P><P>access-list nonat extended permit ip 172.19.20.0 255.255.255.0 192.0.0.0 255.255.255.0</P><P>access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.19.21.0 255.255.255.0</P><P>access-list to1 extended permit ip 172.19.20.0 255.255.255.0 172.25.0.0 255.255.0.0</P><P>access-list to2 extended permit ip 172.19.20.0 255.255.255.0 172.22.0.0 255.255.0.0</P><P>access-list to3 extended permit ip 172.19.20.0 255.255.255.0 192.0.0.0 255.255.255.0</P><P>access-list to4 extended permit ip 172.19.20.0 255.255.255.0 172.19.200.0 255.255.255.0</P><P>access-list to5 extended permit ip 172.19.200.0 255.255.255.0 172.19.20.0 255.255.255.0</P><P>pager lines 24</P><P>logging asdm informational</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu insidevoice 1500</P><P>ip local pool vpnip 172.19.200.10-172.19.200.250</P><P>asdm image disk0:/asdm-507.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list nonat</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>nat (insidevoice) 1 0.0.0.0 0.0.0.0</P><P>route outside 0.0.0.0 0.0.0.0 123.123.123.1 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00</P><P>timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server VPNAuth protocol radius</P><P>aaa-server VPNAuth host 172.19.20.250</P><P> key xxxxx</P><P>group-policy ABC internal</P><P>group-policy ABC attributes</P><P> dns-server value 172.19.20.250</P><P> vpn-idle-timeout 30</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value ST</P><P> default-domain value ABC.local</P><P> webvpn</P><P>http server enable</P><P>http 0.0.0.0 0.0.0.0 outside</P><P>http 172.19.20.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>telnet 172.19.20.0 255.255.255.0 inside</P><P>telnet timeout 60</P><P>ssh 0.0.0.0 0.0.0.0 outside</P><P>ssh timeout 60</P><P>console timeout 0</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns maximum-length 512</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect skinny</P><P> inspect sunrpc</P><P> inspect xdmcp</P><P> inspect sip</P><P> inspect netbios</P><P> inspect tftp</P><P> inspect tftp</P><P>!</P><P>service-policy global_policy global</P><P>: end</P><P>ASA#</P></BODY></HTML> Fri, 06 Jun 2008 12:54:52 GMT https://community.cisco.com/t5/network-security/same-security-traffic-permit-inter-interface-not-working/m-p/1002655#M918857 brianbono 2008-06-06T12:54:52Z