Solved: same-security-traffic command queries

glenn.ong · ‎11-01-2007

Dear experts,

I wonder if putting in the "same-security-traffic permit intra-interface" or "same-security-traffic permit inter-interface" global commands will make the traffic 'bypass' the ACL for interfaces with same security level?

Your answer is much appreciated.

Jon Marshall · ‎11-01-2007

Glenn

The short answer is yes if there is an access-list on the interface then there must be an entry allowing the traffic for it to be allowed back out.

For more details have a look at this document.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#t5

HTH

Jon

View solution in original post

Jon Marshall · ‎11-01-2007

Hi Glenn

The "same-security-traffic permit inter-interface" command will indeed allow traffic to flow between interfaces without access-lists.

The "same-security-traffic permit intra-interface" allows traffic to exit out on the interface it was received on.

Please see attached doc for more details.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167

HTH

Jon

glenn.ong · ‎11-01-2007

Hi Jon,

Thanks for the speedy response.

For "same-security-traffic permit intra-interface" command, will the originating traffic that exits on the same interface still hit the access-list though?

One of our customers have their VPN and thirparty network coming in on the same interface on a FWSM - obviously for VPN-> third party connections, this command is needed to make it work but the connections have to be enforced by ACL too.

Jon Marshall · ‎11-01-2007

Glenn

The short answer is yes if there is an access-list on the interface then there must be an entry allowing the traffic for it to be allowed back out.

For more details have a look at this document.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#t5

HTH

Jon