Cisco ASA – Permitting traffic between two interfaces with the same security level

I had to make some network modifications to an ASA to activate another interface to accommodate some storage devices on a separate subnet for management purposes.  The below diagram shows the subnet’s in question.  I needed to configure the two interfaces to allow all interesting traffic to pass bi-directionally between each other.  Here are the commands I used to this rolling.

image

Even though the SERVER and STORAGE interfaces are configured with the same security level of 100 the default behavior of an ASA is to block communication between them.  We can enable communication between these two interfaces with the same security level with the following command:

ASA-CLI (config) # same –security-traffic permit inter-interface

Here is where many people get stuck.  After this command is added many people become baffled that they still cannot ping and pass traffic through.  This is because a “static or dynamic” translation rule is still required.  I added the following two commands to allow all IP traffic to pass bi-directionally.

ASA-CLI (config) # static (server,storage) 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0

ASA-CLI (config) # static (storage,server) 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

At this point you should be good to go.

-Justin Vashisht (3cVguy)

, , , ,

No comments yet.

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.

Powered by WordPress. Designed by Woo Themes