hadbou Fri, 06/19/2009 - 12:59
User Badges:
  • Bronze, 100 points or more

The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed. This feature might be useful for VPN traffic that enters an interface, but is then routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for another VPN connection. For example, if you have a hub and spoke VPN network, where the security appliance is the hub, and remote VPN networks are spokes, for one spoke to communicate with another spoke, traffic must go into the security appliance and then out again to the other spoke.

plumbis Thu, 06/25/2009 - 19:34
User Badges:
  • Silver, 250 points or more

I have seen issues where spoofed traffic created bogus conns with intra-interface configured. For example, source 192.168.1.10 destined: 4.4.4.4 on the outside interface. This traffic gets u-turned and if a packet for 192.168.1.10 enters the firewall on the inside it will be dropped because there is already a conn built on the outside interface.


The general recommendation is "don't use it if it's not absolutely necessary"

Actions

This Discussion