06-13-2017 02:43 AM - edited 03-12-2019 02:29 AM
Hello, I am having trouble configuring a firewall at work. It is a Cisco ASA 5520 running 8.2. I cannot paste the config as it's in a secure environment. So, basically the config is:
interface gig 0/0
nameif prod
ip add 192.168.1.1 255.255.255.240
security level 85
!
interface gig 1/1
nameif prod1
ip add 192.168.1.17 255.255.255.240
security level 85
!
interface gig 1/2
nameif exercise
ip add 192.168.1.33 255.255.255.240
security level 75
interface gig 1/3
nameif exercise1
ip add 192.168.1.49 255.255.255.240
security level 75
access-list acl_out extended permit ip any any log 5
access-list acl_in extended permit ip any any log 5
!
interface gig 0/0
access-group acl_out out interface prod
access-group acl_out in interface prod
!
interface gig 1/1
access-group acl_out out interface prod
access-group acl_out in interface prod
!
interface gig 1/2
access-group acl_out out interface prod
access-group acl_out in interface prod
!
interface gig 1/3
access-group acl_out out interface prod
access-group acl_out in interface prod
That's pretty much it. The routes are all connected so I don't actually having routing statements.
I notice I cannot connect from a host on the outside of the interface to another host etc. It just will not work.
IF I add the command
same-security-traffic permit inter-interface
then it works. It even works IF I take out the access lists. This confuses me. I essentially want prod to talk to prod1 and vica-versa, and exercise to talk to exercise1 etc, and also out to an external connection, which I will set up a route for.
If I use this command "same-security-traffic intra-interface" do I also use ACL'S? How do I do it without this command? Change the security levels to be all different? This command seems to override the need for ACL's. So do I use this command and THEN apply ACL's to permit/deny as appropriate?
Can anyone please assist me with this as it has been driving me nuts!
Thanks,
Geoff
Solved! Go to Solution.
06-13-2017 03:14 AM
Hi Geoff,
You would require this statement as the security levels of prod and prod1 are same.
same-security-traffic permit inter-interface
Same goes for exercise and exercise1 since all these interfaces have the same security level.
By default, no ACL is required to permit communication between 2 interfaces of same security level (provided you have same-security-traffic permit inter-interface command) but if you do have an ACL on the interface, then it will be checked.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-13-2017 03:14 AM
Hi Geoff,
You would require this statement as the security levels of prod and prod1 are same.
same-security-traffic permit inter-interface
Same goes for exercise and exercise1 since all these interfaces have the same security level.
By default, no ACL is required to permit communication between 2 interfaces of same security level (provided you have same-security-traffic permit inter-interface command) but if you do have an ACL on the interface, then it will be checked.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-13-2017 03:57 AM
Thanks Aditya. So, lets say I changed the interface security level to be 1 2 3 & 4. Would I need this command then? No, it would not work and the ACL's would work as expected correct?
06-13-2017 05:00 AM
Regards,
Aditya
Please rate helpful posts and mark correct answers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide