04-06-2023 05:32 AM
Hi All,
We are facing an issue, wherein ASA is not matching one of the rule , even though we have mentioned correct source , destination and service port. In ASDM packet tracer, it shows traffic is instead matching the implicit deny rule.
Packet is being received on one of the interface which is having eBGP over p2p link.
And packet needs to be sent over another sub-interfaces on which there is a site 2 site VPN with Azure (Private peering). We are running BGP inside VPN.
Security level of the ingress interface and of the egress sub-interface is same i.e 0
FYI - ASA is running on FTD
04-19-2023 08:37 AM
To permit communication between different interfaces that have the same security level, the below configuration should be used on the ASA,
same-security-traffic permit inter-interface
04-19-2023 09:14 AM
sorry can I see the ASA config ?
05-21-2023 10:53 PM
When you have two interfaces on the ASA with the same security level and you need to allow traffic between them, you can follow these steps:
1 .Create Sub-Interfaces: Configure sub-interfaces on the interface where the traffic is received and the interface where the traffic needs to be sent. Assign unique VLAN tags to each sub-interface.
2. Assign Security Levels: Assign the same security level to both the parent interface and the sub-interfaces. For example, you can use the security level 0 for all of them.
3. Enable Inter-Interface Communication: By default, ASA does not allow traffic to flow between interfaces with the same security level. To enable communication, you need to use the same-security-traffic command. Here's an example:
arduino
Copy code
asa(config)# same-security-traffic permit inter-interface
4 . Configure NAT Exemption: If you have NAT configured on the ASA, you will need to exempt the traffic between these interfaces from NAT. Create a NAT exemption rule to bypass NAT for the traffic between the sub-interfaces. Here's an example:
scss
Copy code
asa(config)# nat (inside,inside) 0 access-list no-nat
In this example, inside represents the interface where the traffic is received, and no-nat is an access list that defines the traffic that should be exempted from NAT.
5 . Create Access Rules: Finally, create access rules to allow the desired traffic between the sub-interfaces. Configure access control rules using access lists to permit the specific traffic you want to allow. Here's an example:
arduino
Copy code
asa(config)# access-list acl-name extended permit ip source-subnet destination-subnet
asa(config)# access-group acl-name in interface interface-name
In this example, acl-name is the name of the access list, source-subnet represents the source subnet you want to allow, destination-subnet represents the destination subnet, and interface-name is the interface where the traffic is received.
By following these steps, you should be able to allow traffic between the sub-interfaces on the ASA with the same security level. Remember to adapt the configuration examples to match your specific network setup and requirements.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide