Solved: Re: asa 5505 traffic between same security interfaces

sebastianvandijk · ‎05-27-2013

i am trying to get the ASA have routing multiple LAN interfaces.

i've got these interfaces :

interface Vlan100

nameif outside

security-level 0

ip address x.x.x.x y.y.y.y standby z.z.z.z

interface Vlan2

nameif inside

security-level 100

ip address 10.100.2.1 255.255.255.0 standby 10.100.2.2

interface Vlan48

nameif LAN-1

security-level 50

ip address 10.100.48.1 255.255.255.0 standby 10.100.48.2

interface Vlan49

nameif LAN-2

security-level 50

ip address 10.100.49.1 255.255.255.0 standby 10.100.49.2

I want to use access-lists between LAN-1 and LAN-2 so i don't want to use same-security permit inter-interface.

So i created 2 access-lists :

access-list LAN-1_in extended permit icmp any any

access-list LAN-1_in extended permit ip any any

access-list LAN-2_in extended permit icmp any any

access-list LAN-2_in extended permit ip any any

and applied them to the interfaces

access-group LAN-1_in in interface LAN-1

access-group LAN-2_in in interface LAN-2

As i don't want to use nat between those 2 segments i have them excempt from nat :

nat (LAN-1,LAN-2) source static obj-10.100.48.0 obj-10.100.48.0 destination static obj-10.100.49.0 obj-10.100.49.0

nat (LAN-2,LAN-1) source static obj-10.100.49.0 obj-10.100.49.0 destination static obj-10.100.48.0 obj-10.100.48.0

Now no traffic is possible between 2 hosts : 10.100.48.11 and 10.100.49.11.

Not ICMP no nothing.

When i use the packet tracer traffic gets dropped by an access-list but it does not specify which one.

What could be wrong here ?

The strange thing is, when i set LAN-1 interface to security level 100 the ping from LAN-1 to LAN-2 and from LAN-2 to LAN-1 do work ?!

Jouni Forss · ‎05-27-2013

Hi,

If you dont want NAT between the 2 LANs then leave out all NAT configuratins between them. You dont need NAT configurations as the traffic will go through without NAT by default. Its only when you have some other NAT configurations between 2 interfaces (Like Dynamic NAT/PAT) when you need another NAT configuration to tell that some traffic doesnt need to be NATed.

Even if you configure ACLs to the interface you will still require "same-security-traffic permit inter-interface". This is why "packet-tracer" returns a ACL deny without specifying the exact ACL. The output is a bit cryptic sometimes and doesnt tell you the specific reason which I think is pretty bad from Ciscos part.

Either enter that command or change the "security-level" so they arent equal.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎05-27-2013

Hi,