Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
547
Views
0
Helpful
2
Replies

Newbie acl question

Go to solution
Gordon Ross
Level 9
Level 9

‎06-25-2011 11:18 AM - edited ‎03-11-2019 01:50 PM

I've got an ASA running 8.4

I'm trying to get a simple ACL to work, but I'm failing miserably. The core guts of my config are:

interface GigabitEthernet0/0

nameif LAN_1

security-level 100

ip address 172.18.0.1 255.255.255.0

interface GigabitEthernet0/2

nameif LAN_2

security-level 100

ip address 172.18.1.1 255.255.255.0

object network LAN_1_host

host 172.18.0.2

object network LAN_2_host

host 172.18.1.2

access-list LAN_1_access_in extended permit icmp any object LAN_2_host

access-group LAN_1_access_in in interface LAN_1

There are no other access-list or access-group commands. There are no NAT commands.

I cannot ping LAN_2_host from LAN_1_host.

I can ping both hosts from the ASA itself.

If I replace the ASA with a router, I can ping fine.

If I use the ASDM packet tracer, it tells me that the packet is being blocked by a default access list.

What am I missing to make this work ? I this case, I don't want to NAT, I just want to have a basic ACL.

Thanks,

GTG

Please rate all helpful posts.
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Anu M Chacko
Cisco Employee
Cisco Employee

‎06-25-2011 11:27 AM

Hi Gordon,

Do you have "same-security-traffic permit inter interface" in your config? You will need this since they are both on same security levels. Also, enable inspect icmp for the replies to come through.

Hope this helps!

Regards,

Anu

View solution in original post

0 Helpful

Go to solution
advijay
Level 1
Level 1

‎06-25-2011 11:30 AM

Hey,

To allow traffic between interfaces on the same security level, you need to add same-security-traffic permit inter-interface command in the global configuration mode.

Hope this helps!

Regards,

Aditya

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Anu M Chacko
Cisco Employee
Cisco Employee

‎06-25-2011 11:27 AM

Hi Gordon,

Do you have "same-security-traffic permit inter interface" in your config? You will need this since they are both on same security levels. Also, enable inspect icmp for the replies to come through.

Hope this helps!

Regards,

Anu

0 Helpful

Go to solution
advijay
Level 1
Level 1

‎06-25-2011 11:30 AM

Hey,

To allow traffic between interfaces on the same security level, you need to add same-security-traffic permit inter-interface command in the global configuration mode.

Hope this helps!

Regards,

Aditya

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card