Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1002
Views
0
Helpful
1
Replies

Hosts between two sub-interfaces that is using one physical interface of Cisco ASA cannot ping each other.

drlbaluyut
Level 1
Level 1

‎02-18-2019 11:19 PM - edited ‎02-21-2020 08:49 AM

Hi

 

How can i permit ping between two hosts on a different subinterface using the same physical interface on cisco ASA? It is also using the same ACL.

 

FW/pri/act# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/1.16 zon_ves 10.165.16.1 255.255.255.0 CONFIG
GigabitEthernet0/1.28 zon_ves_2 10.165.28.1 255.255.255.0 manual

 

interface GigabitEthernet0/1
no nameif
no security-level
no ip address

 

interface GigabitEthernet0/1.16
vlan 16
nameif zon_ves
security-level 90
ip address 10.165.16.1 255.255.255.0 standby 10.165.16.2

 

interface GigabitEthernet0/1.28
vlan 28
nameif zon_ves_2
security-level 90
ip address 10.165.28.1 255.255.255.0 standby 10.165.28.2

 

access-group zon_ves_in in interface zon_ves

access-group zon_ves_in in interface zon_ves_2

 

FW# sh access-list zon_ves_in | i icmp
access-list zon_ves_in line 1 extended permit icmp any any (hitcnt=13248083)

 

FW# packet-tracer input zon_ves icmp 10.165.16.10 1 1 10.165.28.10

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.165.28.10 using egress ifc zon_ves_2

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: zon_ves
input-status: up
input-line-status: up
output-interface: zon_ves_2
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful
1 Reply 1

Seb Rupik
VIP Alumni
VIP Alumni

‎02-19-2019 12:13 AM

Hi there,

Try adding the following commands:

!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html

 

cheers,

Seb.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card