Cisco ASA firewall blocking traffic when the access list (ACL) allows the traffic

We had a need to change the VLAN that was used on a sub-interface of a Cisco ASA 5540 (Version 8.2). The sub-interface was deleted and a new sub-interface was added. With the exception of the VLAN number, the configuration was the same. All server connectivity worked before we made the change.

Once the new interface was in place, we had a situation where we could initiate an RDP session to a server on the subnet of the new sub-interface, but the server could not reach the authentication server on another sub-interface (DMZ) on the same ASA 5540.

The ACL allowed the traffic, but packet tracer stated that the traffic was being dropped. The syslog server showed the traffic being blocked. Neither Packet Tracer nor the syslog messages stated why it was being blocked. We added a permit IP any any to the ACL, still dropped. NAT-Control was not on so NAT was not the issue. A packet capture on the ASA showed packets coming into the new interface, but not leaving the other DMZ interface. I noticed that the two interfaces had the same security level of 70. Both interfaces had inbound and outbound ACL’s, so therefore the security levels shouldn’t matter.

The problem was that both interfaces had the same security level, even with the ACL’s on each interface it was blocking the traffic. Once I added the following command in global configuration mode, the traffic started flowing, “same-security-traffic permit intra-interface

This command permits traffic to flow from one interface to another interface with the same security level.

I have no idea how the connections were allowed before the change with out the command, but they were.

Any ideas how it would have worked with out it? Have you experienced this?


This entry was posted in Network Security by Scape. Bookmark the permalink.

About Scape

Over 10 Years in the networking field. Have worked in the Service provider and Enterprise environments. I have worked with Cisco, Foundry/Brocade, F5, Riverbed, Scientific Atlanta, Routers, Switches, Firewalls, Load Balancers, WAN Accelerators, DWDM, SONET, Multicast etc...

Leave a Reply