communication between same security levels in ASA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2012 11:16 AM - edited 03-11-2019 03:40 PM
Hi All,
I am facing communication issue between the same security level. I have created two security zones with same security level & i have also configured the command same-security-traffic permit inter-interface & nat-control is disabled by default. But i am not able to communicate between same security level.
when i have checked the logs using sh logging coomand following output will come:-
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.28/14 gaddr 10.0.4.1/0 laddr 10.0.4.1/0
%ASA-6-110003: Routing failed to locate next hop for icmp from HR:10.0.4.1/0 to HR:10.0.0.28/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.28/14 gaddr 10.0.4.1/0 laddr 10.0.4.1/0
%ASA-3-219002: i2c_read_byte_w_suspend() error, slot = 0x4, device = 0xb0, address = 0x0, byte count = 1. Reason: I2C_SMBUS_UNSUPPORT
My ASA lab configuration:-
interface Ethernet0/0
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.252
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.1
vlan 2
nameif inside
security-level 100
ip address 10.0.0.1 255.255.252.0
!
interface Ethernet0/1.2
vlan 3
nameif HR
security-level 100
ip address 10.0.4.1 255.255.252.0
rest configuration is default
Thanks
- Labels:
-
NGFW Firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2012 08:47 AM
Just to be sure - I would configure a nat-exemption rule.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2012 09:57 AM
You can also add the following commands to allow the same security interface to talk to each other:
same-security-traffic permit intra-interface
same-security-traffic permit inter-interface
Thanks and let us know.
Kimberly
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2012 10:44 AM
Hello Rakesh,
You already told us you have the permit inter-interface command and also nat control disabled.
You also told us you have the default setting on your asa so if that is true you should not have the inspection for the ICMP protocol.
Please add the following:
-fixup protocol icmp
Then give it a try:
Also provide the following:
packet-tracer input inside icmp 10.0.0.2 8 0 10.0.4.2
Regards,
Do rate all the helpful posts
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
