cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7681
Views
10
Helpful
43
Replies

same-security-traffic permit inter-interface not working

brianbono
Level 1
Level 1

Guys, need help to allow traffic between two interfaces that have the same security level. I have already enabled the "same-security-traffic permit inter-interface" command but still i cant ping my switch or server on the other vlan...

what else do i need to do to accomplish this task? ACL are on defaults as of now...

1 Accepted Solution

Accepted Solutions

access-list nat0_acl permit 172.19.21.0 255.255.255.0 172.19.20.0 255.255.255.0

nat (insidevoice) 0 access-list nat0_acl

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

View solution in original post

43 Replies 43

Farrukh Haroon
VIP Alumni
VIP Alumni

Which version are you running, is nat-control off or on?

show run nat-control

Regards

Farrukh

nat-control is not enabled and I am running 7.0 (7)

what could be missing?

Do you have any nat statements (dynamic or static) between those two interfaces?

Just run the packet-tracer command, it should tell you whats going wrong. If possible post the output here.

assuming you are going from inside1 to inside2

inside1 = 136.1.1.0 /25

inside2 = 136.1.2.0 /25

packet-tracer input inside1 tcp 136.1.1.3

11005 136.1.2.100 80 detailed

Regards

Farrukh

part of my config below:

interface Ethernet0/0

nameif outside

security-level 0

ip address 123.123.123.2 255.255.255.24

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.19.20.40 255.255.255.0

!

interface Ethernet0/2

nameif insidevoice

security-level 100

ip address 172.19.21.40 255.255.255.0

same-security-traffic permit inter-interface

access-list outside_access_in extended permit icmp any any

access-list outside_access_in_V1 extended permit icmp any 172.19.21.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (insidevoice) 1 0.0.0.0 0.0.0.0

access-group outside_access_in_V1 in interface outside

route outside 0.0.0.0 0.0.0.0 123.123.123.1 1

also, im confused because I cant seem to connect to the internet if I am on the insidevoice network.

Please help.

Can you also post the 'nonat' access-list?

Regards

Farrukh

access-list nonat extended permit ip 172.19.20.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.25.0.0 255.255.0.0

access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.22.0.0 255.255.0.0

access-list nonat extended permit ip 172.19.20.0 255.255.255.0 192.0.0.0 255.255.255.0

access-list tozzz extended permit ip 172.19.20.0 255.255.255.0 172.25.0.0 255.255.0.0

access-list toxxx extended permit ip 172.19.20.0 255.255.255.0 172.22.0.0 255.255.0.0

access-list toccc extended permit ip 172.19.20.0 255.255.255.0 192.0.0.0 255.255.255.0

access-list qw extended permit ip 172.19.20.0 255.255.255.0 172.19.200.0 255.255.255.0

access-list qw extended permit ip 172.19.200.0 255.255.255.0 172.19.20.0 255.255.255.0

access-list outside_access_in_V1 extended permit icmp any 172.19.21.0 255.255.255.0

Ok first of all, for 'inside' to communicate with 'insidevoice', you need to add the following line in your nonat ACL

access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.19.21.0 255.255.0.0

Or if you want to NAT/PAT this traffic, something like

global (insidevoice) 1 interface

Once you enable any sort of dynamic NAT / PAT, 'no nat-control' rule no longer applies for that zone, now all traffic between this zone and any other zone either requires NAT rules or NAT exemption.

As to why insidevoice cannot access Internet, please run the packet-tracer command I gave you before, it seems OK to me....

Regards

Farrukh

tried to add the suggested:

access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.19.21.0 255.255.255.0

but still I cant communicate with the other VLAN.

Appreciate all your help... any other suggestions?

yes. packet-tracer with the 'detailed' keyword:)

Also make sure you do a 'clear local-host' and 'clear xlate' after making any NAT changes.

Regards

Farrukh

anybody else has a suggestion?

I just ran some debugs and this was one of the things that caught my eye:

No translation group found for icmp src inside:172.19.20.19 dst insidevoice:172.19.21.21 (type 8, code 0)

what do i need to add on NAT to make sure 172.19.20.x can communicate to 172.19.21.x considering both have the same security level and that the "same-security-traffic permit inter-interface" is already enabled yet I can't communicate...

please advise..

As I mentioned before, you can use:

Ok first of all, for 'inside' to communicate with 'insidevoice', you need to add the following line in your nonat ACL

(NAT Exemption):

access-list nonat extended permit ip 172.19.20.0 255.255.255.0 172.19.21.0 255.255.255.0 (I gave wrong mask earlier)

Or if you want to NAT/PAT this traffic, something like

(Dynamic NAT):

global (insidevoice) 1 interface

You can also use:

(Identity Static)

static (inside,insidevoice) 172.19.20.0 172.19.20.0 netmask 255.255.255.0

Try any three, if one does not work for some reason (which is strange, try the other).

BTW, why don't you post packet-tracer output? You have something personal against the command? This is *THIRD TIME* I'm requesting you to do it......

packter-tracer input inside icmp 172.19.20.19 8 0 172.19.21.21 detailed

See even Cisco is using it, it won't hurt :)

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

Regards

Farrukh

Once you enable dynamic nat on one of those interfaces, it's as if the same-security traffic command wasn't even entered because of the nat. In your case, the ASA is behaving as expected.

By default, you do not need to do NAT between same-security level interfaces, even if nat-control is enabled.

however, you do need to configure nat rules if you define dynamic NAT for either of the same-security level interfaces.

Review Cisco Networking for a $25 gift card