Solved: Re: ASA 9.1 code enable traffic between interfaces with same sec

Scott Robertson · ‎06-20-2013

Asa 5525x with 9.1 code with multicontext
Mode enabled

I enabled traffic between interfaces with same security level on admin firewall context . This works but when I disable this feature and apply inbound ACLs to these same interfaces log indicates packets are being denied by implicit policy even though my acl permits this traffic
Any clues to why this occurs ? Tried rebooting Asa after disabling same interface security level traffic to no avail.

Thanks Team

Scott

Jouni Forss · ‎06-20-2013

Hi,

If you have "same-security-traffic permit inter-interface" configured and have 2 interfaces with same "security-level" value and you have "access-list" configured on both interfaces then the ACLs will handle the decision of what traffic is allowed and what is not.

In the above case you could consider the "same-security-traffic permit inter-interface" a kind of command that overcomes a default limitation of communication between interfaces with same "security-level" interfaces.

So basically when you have interface ACLs configured then they will decide which traffic is allowed even if you have the "same-security-traffic" configurations enabled

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Or ask more if needed.

- Jouni

View solution in original post

Jouni Forss · ‎06-20-2013

Hi,

If you have interfaces configured with same "security-level" value then the only way traffic can pass between them is if you have "same-security-traffic permit inter-interface" configuration enabled.

So even if you allow traffic with "access-list" configurations on the interfaces BUT you dont have the above configuration command enabled then traffic will still get blocked.

So you either have to configure "same-security-traffic permit inter-interface" OR you will have to change either interfaces "security-level" so they dont match.

- Jouni

Scott Robertson · ‎06-20-2013

So can/will Acl's control traffic on these interfaces with the same security level feature enabled and interfaces configured at same level or will all traffic be permitted regardless of ACL's if security levels are equal?

Thank you!

Sent from Cisco Technical Support iPhone App

Jouni Forss · ‎06-20-2013

Hi,

If you have "same-security-traffic permit inter-interface" configured and have 2 interfaces with same "security-level" value and you have "access-list" configured on both interfaces then the ACLs will handle the decision of what traffic is allowed and what is not.

In the above case you could consider the "same-security-traffic permit inter-interface" a kind of command that overcomes a default limitation of communication between interfaces with same "security-level" interfaces.

So basically when you have interface ACLs configured then they will decide which traffic is allowed even if you have the "same-security-traffic" configurations enabled

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Or ask more if needed.

- Jouni

Scott Robertson · ‎06-21-2013

Thank you Jouni !

I understand the logic at this point and appreciate your qucik responses.

Ni2 · ‎02-27-2019

Mohammed al Baqari · ‎02-27-2019

It can be applied globally only.

drlbaluyut · ‎02-27-2019

ASA 9.1 code enable traffic between interfaces with same security levels