06-13-2017 02:43 AM - edited 03-12-2019 02:29 AM
Hello, I am having trouble configuring a firewall at work. It is a Cisco ASA 5520 running 8.2. I cannot paste the config as it's in a secure environment. So, basically the config is:
interface gig 0/0
nameif prod
ip add 192.168.1.1 255.255.255.240
security level 85
!
interface gig 1/1
nameif prod1
ip add 192.168.1.17 255.255.255.240
security level 85
!
interface gig 1/2
nameif exercise
ip add 192.168.1.33 255.255.255.240
security level 75
interface gig 1/3
nameif exercise1
ip add 192.168.1.49 255.255.255.240
security level 75
access-list acl_out extended permit ip any any log 5
access-list acl_in extended permit ip any any log 5
!
interface gig 0/0
access-group acl_out out interface prod
access-group acl_out in interface prod
!
interface gig 1/1
access-group acl_out out interface prod
access-group acl_out in interface prod
!
interface gig 1/2
access-group acl_out out interface prod
access-group acl_out in interface prod
!
interface gig 1/3
access-group acl_out out interface prod
access-group acl_out in interface prod
That's pretty much it. The routes are all connected so I don't actually having routing statements.
I notice I cannot connect from a host on the outside of the interface to another host etc. It just will not work.
IF I add the command
same-security-traffic permit inter-interface
then it works. It even works IF I take out the access lists. This confuses me. I essentially want prod to talk to prod1 and vica-versa, and exercise to talk to exercise1 etc, and also out to an external connection, which I will set up a route for.
If I use this command "same-security-traffic intra-interface" do I also use ACL'S? How do I do it without this command? Change the security levels to be all different? This command seems to override the need for ACL's. So do I use this command and THEN apply ACL's to permit/deny as appropriate?
Can anyone please assist me with this as it has been driving me nuts!
Thanks,
Geoff
Solved! Go to Solution.
06-13-2017 03:14 AM
Hi Geoff,
You would require this statement as the security levels of prod and prod1 are same.
same-security-traffic permit inter-interface
Same goes for exercise and exercise1 since all these interfaces have the same security level.
By default, no ACL is required to permit communication between 2 interfaces of same security level (provided you have same-security-traffic permit inter-interface command) but if you do have an ACL on the interface, then it will be checked.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-13-2017 03:14 AM
Hi Geoff,
You would require this statement as the security levels of prod and prod1 are same.
same-security-traffic permit inter-interface
Same goes for exercise and exercise1 since all these interfaces have the same security level.
By default, no ACL is required to permit communication between 2 interfaces of same security level (provided you have same-security-traffic permit inter-interface command) but if you do have an ACL on the interface, then it will be checked.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-13-2017 03:57 AM
Thanks Aditya. So, lets say I changed the interface security level to be 1 2 3 & 4. Would I need this command then? No, it would not work and the ACL's would work as expected correct?
06-13-2017 05:00 AM
Regards,
Aditya
Please rate helpful posts and mark correct answers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: