Friday, March 14, 2014

Cisco ASA – Permitting traffic between two interfaces with the same security level

Cisco ASA – Permitting traffic between two interfaces with the same security level

I had to make some network modifications to an ASA to activate another interface to accommodate some storage devices on a separate subnet for management purposes.  The below diagram shows the subnet’s in question.  I needed to configure the two interfaces to allow all interesting traffic to pass bi-directionally between each other.  Here are the commands I used to this rolling.
image
Even though the SERVER and STORAGE interfaces are configured with the same security level of 100 the default behavior of an ASA is to block communication between them.  We can enable communication between these two interfaces with the same security level with the following command:
ASA-CLI (config) # same –security-traffic permit inter-interface
Here is where many people get stuck.  After this command is added many people become baffled that they still cannot ping and pass traffic through.  This is because a “static or dynamic” translation rule is still required.  I added the following two commands to allow all IP traffic to pass bi-directionally.
ASA-CLI (config) # static (server,storage) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
ASA-CLI (config) # static (storage,server) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
At this point you should be good to go.
-Justin Vashisht (3cVguy)

No comments:

Post a Comment