Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
2
Helpful
3
Replies

ASA not matching the created rule

munaf shaikh
Level 1
Level 1

‎04-06-2023 05:32 AM

Hi All,

We are facing an issue, wherein ASA is not matching one of the rule , even though we have mentioned correct source , destination and service port. In ASDM packet tracer, it shows traffic is instead matching the implicit deny rule. 

Packet is being received on one of the interface which is having eBGP over p2p link.

And packet needs to be sent over another sub-interfaces on which there is a site 2 site VPN with Azure (Private peering). We are running BGP inside VPN.

Security level of the ingress interface and of the egress sub-interface is same i.e 0  

FYI - ASA is running on FTD 

munafshaikh_1-1680783596862.png

munafshaikh_2-1680784193423.png

 

 

3 Replies 3

manabans
Cisco Employee
Cisco Employee

‎04-19-2023 08:37 AM

To permit communication between different interfaces that have the same security level, the below configuration should be used on the ASA,

same-security-traffic permit inter-interface

 

MHM Cisco World
VIP
VIP

‎04-19-2023 09:14 AM

sorry can I see the ASA config ?

0 Helpful

srigovi2
Cisco Employee
Cisco Employee

‎05-21-2023 10:53 PM

When you have two interfaces on the ASA with the same security level and you need to allow traffic between them, you can follow these steps:

 

1 .Create Sub-Interfaces: Configure sub-interfaces on the interface where the traffic is received and the interface where the traffic needs to be sent. Assign unique VLAN tags to each sub-interface.

 

2. Assign Security Levels: Assign the same security level to both the parent interface and the sub-interfaces. For example, you can use the security level 0 for all of them.

 

3. Enable Inter-Interface Communication: By default, ASA does not allow traffic to flow between interfaces with the same security level. To enable communication, you need to use the same-security-traffic command. Here's an example:

 

arduino

Copy code

asa(config)# same-security-traffic permit inter-interface

4 . Configure NAT Exemption: If you have NAT configured on the ASA, you will need to exempt the traffic between these interfaces from NAT. Create a NAT exemption rule to bypass NAT for the traffic between the sub-interfaces. Here's an example:

scss

Copy code

asa(config)# nat (inside,inside) 0 access-list no-nat

In this example, inside represents the interface where the traffic is received, and no-nat is an access list that defines the traffic that should be exempted from NAT.

 

5 . Create Access Rules: Finally, create access rules to allow the desired traffic between the sub-interfaces. Configure access control rules using access lists to permit the specific traffic you want to allow. Here's an example:

arduino

Copy code

asa(config)# access-list acl-name extended permit ip source-subnet destination-subnet

asa(config)# access-group acl-name in interface interface-name

In this example, acl-name is the name of the access list, source-subnet represents the source subnet you want to allow, destination-subnet represents the destination subnet, and interface-name is the interface where the traffic is received.

 

By following these steps, you should be able to allow traffic between the sub-interfaces on the ASA with the same security level. Remember to adapt the configuration examples to match your specific network setup and requirements.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card