Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
0
Helpful
7
Replies

ASA5515x Traffic between same security levels

arturmelyan
Level 1
Level 1

‎12-22-2015 10:34 PM - edited ‎03-12-2019 12:04 AM

Hi everyone.

Please could someone explain me for what purpose is needed option "enable traffic between two or more interfaces which are configured with same security level". I am confused, because in any case i should add Permit ACL from one interface to other other with the same security level, and it works.
So, I have one global implicit rule deny ip any any, but actually if this option is enabled and if i right understand shouldn't traffic goes from one to other interface with the same security level without any additional ACL's?

Thanks in advance

Labels:
0 Helpful
7 Replies 7

Shivapramod M
Level 1
Level 1

‎12-22-2015 10:54 PM

Hi,

You must need to conifgure the command "same-security-traffic permit inter-interface" to allow the traffic between two interfaces which are in same security level. If you just have access list then it will not work.

If you run this command then it will allow all the traffic between two interfaces which has the security level same. If this command is enabled then you can control the traffic flow between these two interfaces using the ACL. If you have the permit ACL to pass certain traffic between these two interfaces and  you do not enable this command then the traffic will be dropped by implicit rule. Once you have this command enabled then you can control the flow using the ACL. 

You can refer the link 

https://supportforums.cisco.com/discussion/12731516/asa-same-security-levels-inter-interface-definitive-understanding-required

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

0 Helpful

arturmelyan
Level 1
Level 1
In response to Shivapramod M

‎12-22-2015 11:24 PM

Thanks for answer.

I am agree with you regarding to that Permit ACL without this option doesn't work. But on the contrary the option "same-security-traffic permit inter-interface" without any permit acl also doesn't work, because ASA has implicit IP deny any any rule by default.  

So, if i can control traffic using ACL, why am i need such option at all? Сan it be assumed that ACL and "same-security-traffic permit inter-interface"  just complement each other?

0 Helpful

Shivapramod M
Level 1
Level 1
In response to arturmelyan

‎12-23-2015 12:04 AM

Hi,

If you have  the command same-security-traffic permit inter-interface then You do not need any ACL. It allows all the traffic between the two interfaces without any ACL.

If you do not have this command but if you have access list to allow all the traffic between these two interface then the traffic will be dropped.

In short this command is must to permit the traffic between the same security interface.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

0 Helpful

arturmelyan
Level 1
Level 1
In response to Shivapramod M

‎12-23-2015 06:14 AM

I have the command same-security-traffic permit inter-interface and it doesn't work. 

In my case there are two interfaces, let's say the first is inside1, the secondary is inside2 and the security level of both are 100. Traffic doesn't flow from inside1 to inside2 and vise versa. It is dropped by the same interface from which the traffic is generated. so the solution is add 1 permit rule for each interface.

0 Helpful

Akshay Rastogi
Cisco Employee
Cisco Employee
In response to arturmelyan

‎12-24-2015 11:11 AM

Hi,

What traffic you are testing with? Could you please try the below packet tracer without the any access-lists (remove access-group command).

packet-tracer input inside1 tcp <source-ip> 12345 <destination-ip> 12345 detail

Regards,

Akshay Rastogi

0 Helpful

arturmelyan
Level 1
Level 1
In response to Akshay Rastogi

‎12-24-2015 11:07 PM

Hi, Akshay Rastogi

On my ASA there are sereval ACL's on different interfaces. I have removed access-group from only INSIDE1 interface and have done packet-tracer command, the result and action were DROP by global access-group(implicit rule-deny ip any any by default).

Actually I can't remove the rest of ACL's from every interfaces right now. maybe is this the reason?

BR

0 Helpful

Akshay Rastogi
Cisco Employee
Cisco Employee
In response to arturmelyan

‎12-25-2015 10:32 AM

Hi BR,

If the Access-lists are applied to those interfaces as well then you need to explicitly allow them. If the access-group is the 'global' one then it might be dropping the packet as well if traffic is not allowed in access-list. 

I confirm that you do not need any access-list for communication between same security interfaces. If you add any, then that must have your traffic allowed as well.

Could you please share the output of 'show run access-group'.

Also, could you also share that complete packet-tracer output.

Regards,

Akshay Rastogi

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card