same-security-traffic command queries

Answered Question
Nov 1st, 2007
User Badges:

Dear experts,


I wonder if putting in the "same-security-traffic permit intra-interface" or "same-security-traffic permit inter-interface" global commands will make the traffic 'bypass' the ACL for interfaces with same security level?


Your answer is much appreciated.



Correct Answer by Jon Marshall about 9 years 4 months ago

Glenn


The short answer is yes if there is an access-list on the interface then there must be an entry allowing the traffic for it to be allowed back out.


For more details have a look at this document.


http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#t5


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Thu, 11/01/2007 - 04:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Glenn


The "same-security-traffic permit inter-interface" command will indeed allow traffic to flow between interfaces without access-lists.


The "same-security-traffic permit intra-interface" allows traffic to exit out on the interface it was received on.


Please see attached doc for more details.


http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167


HTH


Jon

glenn.ong Thu, 11/01/2007 - 05:26
User Badges:

Hi Jon,


Thanks for the speedy response.


For "same-security-traffic permit intra-interface" command, will the originating traffic that exits on the same interface still hit the access-list though?


One of our customers have their VPN and thirparty network coming in on the same interface on a FWSM - obviously for VPN-> third party connections, this command is needed to make it work but the connections have to be enforced by ACL too.



Correct Answer
Jon Marshall Thu, 11/01/2007 - 05:54
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Glenn


The short answer is yes if there is an access-list on the interface then there must be an entry allowing the traffic for it to be allowed back out.


For more details have a look at this document.


http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#t5


HTH


Jon

Actions

This Discussion