Hello all,

currently I'm troulbeshooting the following Topology:

image 1

scenario:

  - All interface have access-list allowing the communication to every other IP range. 

  - All the routes are known for each node.

  - The security-level of each interface is assigned as depicted in "image 1"

  - All ASA have the OS version 9.8(1)

  -  My focus is in ASA1 which is the one droping the packets

Problem:

  - hosts in the range 10.10.111.0/24 can't ping end diveces in network  10.10.222.0/24 and viceversa

  - host in the range of 10.10.111.0/24 and 10.10.222.0/24 can communicate 10.10.0.0/24 Bidirectionally

  - when I issue a packet tracer is tells the packet is droped by matching implicit deny by complete ignoring the "permit any any  ip" wich is the first line in the acl-rule.

My understanding:

   by default traffic from lower and equal security-level to higher is droped, however as I have access-list configured in each interface it should overwrite the security-level rule and if the rule allows some traffic it should be permited. 

   however i notice in my situation I have traffic from security-level 60 to 100 being permited by the acl and it works,  but between the same security-level it doesn't.

   at the begining I though it could be related to some concept like nat-control but as I understood it should, the ASA version don't even support that feature.