cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


307
Views
0
Helpful
2
Replies
Highlighted
Collaborator

Newbie acl question

I've got an ASA running 8.4

I'm trying to get a simple ACL to work, but I'm failing miserably. The core guts of my config are:

interface GigabitEthernet0/0

nameif LAN_1

security-level 100

ip address 172.18.0.1 255.255.255.0

interface GigabitEthernet0/2

nameif LAN_2

security-level 100

ip address 172.18.1.1 255.255.255.0

object network LAN_1_host

host 172.18.0.2

object network LAN_2_host

host 172.18.1.2

access-list LAN_1_access_in extended permit icmp any object LAN_2_host

access-group LAN_1_access_in in interface LAN_1

There are no other access-list or access-group commands. There are no NAT commands.

I cannot ping LAN_2_host from LAN_1_host.

I can ping both hosts from the ASA itself.

If I replace the ASA with a router, I can ping fine.

If I use the ASDM packet tracer, it tells me that the packet is being blocked by a default access list.

What am I missing to make this work ? I this case, I don't want to NAT, I just want to have a basic ACL.

Thanks,

GTG

Please rate all helpful posts.
Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Newbie acl question

Hi Gordon,

Do you have "same-security-traffic permit inter interface" in your config? You will need this since they are both on same security levels. Also, enable inspect icmp for the replies to come through.

Hope this helps!

Regards,

Anu

Beginner

Newbie acl question

Hey,

To allow traffic between interfaces on the same security level, you need to add same-security-traffic permit inter-interface command in the global configuration mode.

Hope this helps!

Regards,

Aditya

2 REPLIES 2
Cisco Employee

Newbie acl question

Hi Gordon,

Do you have "same-security-traffic permit inter interface" in your config? You will need this since they are both on same security levels. Also, enable inspect icmp for the replies to come through.

Hope this helps!

Regards,

Anu

Beginner

Newbie acl question

Hey,

To allow traffic between interfaces on the same security level, you need to add same-security-traffic permit inter-interface command in the global configuration mode.

Hope this helps!

Regards,

Aditya