No announcement yet.

Cisco ASA same security traffic

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA same security traffic

    I can't get the same level interfaces to talk to each other. What am I missing here?

    interface GigabitEthernet0/0
    speed 100
    nameif Outside
    security-level 0
    ip address
    ospf cost 10
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address
    ospf cost 10
    interface GigabitEthernet0/2
    nameif AirDMZ
    security-level 100
    ip address
    ospf cost 10

    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list outbound_AirDMZ extended permit ip any any
    access-list inside extended permit icmp any any
    access-list inbound_AirDMZ extended deny tcp any any eq 445
    access-list inbound_AirDMZ extended permit ip any any
    global (Outside) 1 interface
    global (AirDMZ) 1 interface
    nat (Outside) 0 access-list natout
    nat (Outside) 1 access-list outsidenat
    nat (inside) 0 access-list no-nat
    nat (inside) 1
    nat (AirDMZ) 1

    static (inside,AirDMZ) netmask
    access-group outside_acl in interface Outside
    access-group inside_acl in interface inside
    access-group inbound_AirDMZ in interface AirDMZ
    access-group outbound_AirDMZ out interface AirDMZ

  • #2
    Re: Cisco ASA same security traffic

    Allowing Communication Between Interfaces on the Same Security Level

    By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces provides the following benefits:
    You can configure more than 101 communicating interfaces.
    If you use different levels for each interface and do not assign any interfaces to the same security level, you can configure only one interface per level (0 to 100).
    You want traffic to flow freely between all same security interfaces without access lists.

    Note If you enable NAT control, you do not need to configure NAT between same security level interfaces. See the "NAT and Same Security Level Interfaces" section on page 14-32 for more information on NAT and same security level interfaces.
    If you enable same security interface communication, you can still configure interfaces at different security levels as usual.
    To enable interfaces on the same security level so that they can communicate with each other, enter the following command:
    hostname(config)# same-security-traffic permit inter-interface

    To disable this setting, use the no form of this command.

    Taken from:
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)