cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
253
Views
0
Helpful
3
Replies

Cisco ASA 5520 traffic between different zones

geoffwynn
Level 1
Level 1

Hello, I am having trouble configuring a firewall at work. It is a Cisco ASA 5520 running 8.2. I cannot paste the config as it's in a secure environment. So, basically the config is:

interface gig 0/0

nameif prod

ip add 192.168.1.1 255.255.255.240

security level 85

!

interface gig 1/1

nameif prod1

ip add 192.168.1.17 255.255.255.240

security level 85

!

interface gig 1/2

nameif exercise

ip add 192.168.1.33 255.255.255.240

security level 75

interface gig 1/3

nameif exercise1

ip add 192.168.1.49 255.255.255.240

security level 75

access-list acl_out extended permit ip any any log 5

access-list acl_in extended permit ip any any log 5

!

interface gig 0/0

access-group acl_out out interface prod

access-group acl_out in interface prod

!

interface gig 1/1

access-group acl_out out interface prod

access-group acl_out in interface prod

!

interface gig 1/2

access-group acl_out out interface prod

access-group acl_out in interface prod

!

interface gig 1/3

access-group acl_out out interface prod

access-group acl_out in interface prod

That's pretty much it. The routes are all connected so I don't actually having routing statements.

I notice I cannot connect from a host on the outside of the interface to another host etc. It just will not work.

IF I add the command

same-security-traffic permit inter-interface

then it works. It even works IF I take out the access lists. This confuses me. I essentially want prod to talk to prod1 and vica-versa, and exercise to talk to exercise1 etc, and also out to an external connection, which I will set up a route for.

If I use this command "same-security-traffic intra-interface" do I also use ACL'S? How do I do it without this command? Change the security levels to be all different? This command seems to override the need for ACL's. So do I use this command and THEN apply ACL's to permit/deny as appropriate?

 

Can anyone please assist me with this as it has been driving me nuts!

Thanks,

Geoff

1 Accepted Solution

Accepted Solutions

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi Geoff,

You would require this statement as the security levels of prod and prod1 are same.

same-security-traffic permit inter-interface

Same goes for exercise and exercise1 since all these interfaces have the same security level.

By default, no ACL is required to permit communication between 2 interfaces of same security level (provided you have same-security-traffic permit inter-interface command) but if you do have an ACL on the interface, then it will be checked.

Regards,

Aditya

Please rate helpful posts and mark correct answers.


View solution in original post

3 Replies 3

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi Geoff,

You would require this statement as the security levels of prod and prod1 are same.

same-security-traffic permit inter-interface

Same goes for exercise and exercise1 since all these interfaces have the same security level.

By default, no ACL is required to permit communication between 2 interfaces of same security level (provided you have same-security-traffic permit inter-interface command) but if you do have an ACL on the interface, then it will be checked.

Regards,

Aditya

Please rate helpful posts and mark correct answers.


Thanks Aditya. So, lets say I changed the interface security level to be 1 2 3 & 4. Would I need this command then? No, it would not work and the ACL's would work as expected correct?

Yes you are correct and then you would need a normal access-list.

Regards,

Aditya

Please rate helpful posts and mark correct answers.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: