Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
876
Views
0
Helpful
3
Replies

ACL instead of same-security-traffic permit inter-interface

Go to solution
090002aaa
Level 1
Level 1

‎11-30-2015 08:09 AM - edited ‎03-11-2019 11:58 PM

Morning. Engineers

I hope you can help me to figure out why is not working using ACL.

Model:                    ASA 5555-X

Version:                  9.2(2)4 

Multiple Context:    Yes

Network1      10.100.0.0/24 (DMZ1 on physical subinterface)         security-level 50

Network2      10.100.1.0/24 (DMZ2 on portchannel subinterface)   security-level 50

Network3      10.100.2.0/30 (Routing to my LAN)                            security-level 50

LAN              192.168.200.0/24

I need Network2 only communicates with 192.168.200.0/24 through 10.100.2.0/30 with ACL's.

Using the command "same-security-traffic permit inter-interface" there is no problem it works but no security, because Network1 can communicate with Network2/3 and my LAN.

I was trying ACL in but no success.

access-list ROUTING extended permit ip 10.100.1.0 255.255.255.0 192.168.200.0 255.255.255.0

access-group ROUTING in interface Network3

packet-tracer input Network2 tcp 10.100.1.10 16789 192.168.200.10 80 detailed

It says communications was dropped because of ACL (I think global is deny any any).

Thanks for your time.

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to 090002aaa

‎11-30-2015 09:59 AM

Hi,

yes, You need 'same security' command to allow the communication between same security-level interface. It is mendatory. However you could restrict commnunication between subnet on these interfaces with the help of Access-list.

Hope it answers your query.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rishabh Seth
Level 7
Level 7

‎11-30-2015 08:55 AM

Hi,

You would require this command to permit the traffic between interface of same security level.

But along with this command you can create ACLs to control traffic based on your security requirements.

Thanks,

Rishabh Seth

PS: Rate if it helps and mark answer as correct if it resolves your issue.

0 Helpful

Go to solution
090002aaa
Level 1
Level 1
In response to Rishabh Seth

‎11-30-2015 09:00 AM

Hi, Rishabh

You mean that I need to use both that command (same-security-traffic permit inter-interface) and ACL?

Is there any way only to use ACL to communicate those networks?

Regards

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to 090002aaa

‎11-30-2015 09:59 AM

Hi,

yes, You need 'same security' command to allow the communication between same security-level interface. It is mendatory. However you could restrict commnunication between subnet on these interfaces with the help of Access-list.

Hope it answers your query.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card