Hello Ali
By default, if you have two interfaces with the same security level, they should NOT be able to communicate. The same-security-traffic permit inter-interface
command resolves this issue and allows you to achieve such communication, so that’s done correctly. (The intra-interface command
allows you to route traffic to the same interface i.e. to itself. In your case this is unnecessary but has no impact on the behavior.)
Now you state that:
This sounds like a firewall rules setting. Remember, a ping has two components: one echo request outbound, and an echo reply inbound. If a ping is successful, it means that routing is successful in BOTH DIRECTIONS. So routing is not the problem.
Now when it comes to a firewall, if pinging from host A to host B works, but the opposite does not, this has to do with firewall rules. In the first case, the response is allowed because it is recognized as part of the original communication. However, the opposite will not work.
For your particular case, you shouldn’t need to add any ACLs or NAT. Check to see if any ACLs or NAT is configured, and make sure that they’re not. The fact that the debugged ICMP traffic seems to go to the outside interface is somewhat strange… Since the problem is not routing (we checked the routing table) the only other thing I can think of is that there is some NAT configuration there that is directing the traffic out the outside interface. Check the config for NAT statements…
Another thing you can do to troubleshoot is to use the ASA Packet Tracer feature. It’s a powerful tool that lets you see the order of operation that an ASA performs on each incoming and outgoing packet, and the resulting routing and/or filtering decisions. Let us know how you get along in your troubleshooting and if we can be of any further help…
I hope this has been helpful!
Laz