11-01-2007 04:25 AM - edited 03-09-2019 07:10 PM
Dear experts,
I wonder if putting in the "same-security-traffic permit intra-interface" or "same-security-traffic permit inter-interface" global commands will make the traffic 'bypass' the ACL for interfaces with same security level?
Your answer is much appreciated.
Solved! Go to Solution.
11-01-2007 05:54 AM
Glenn
The short answer is yes if there is an access-list on the interface then there must be an entry allowing the traffic for it to be allowed back out.
For more details have a look at this document.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#t5
HTH
Jon
11-01-2007 04:32 AM
Hi Glenn
The "same-security-traffic permit inter-interface" command will indeed allow traffic to flow between interfaces without access-lists.
The "same-security-traffic permit intra-interface" allows traffic to exit out on the interface it was received on.
Please see attached doc for more details.
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167
HTH
Jon
11-01-2007 05:26 AM
Hi Jon,
Thanks for the speedy response.
For "same-security-traffic permit intra-interface" command, will the originating traffic that exits on the same interface still hit the access-list though?
One of our customers have their VPN and thirparty network coming in on the same interface on a FWSM - obviously for VPN-> third party connections, this command is needed to make it work but the connections have to be enforced by ACL too.
11-01-2007 05:54 AM
Glenn
The short answer is yes if there is an access-list on the interface then there must be an entry allowing the traffic for it to be allowed back out.
For more details have a look at this document.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#t5
HTH
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide