ASA Same-security interface permit intra-interface

Unanswered Question
Sep 13th, 2009
User Badges:

I would like to know how to use this command and any other related commands I need to make traffic enter and leave the same interface.

Basic network topology layout:

Internal network of ASA is

Networks inside the ASA I need to reach,, and

I executed the same-security interface permit intra-interface without any luck.

I then created a static (inside,inside) and I'm able to ping 10.255.255.x/24 I made sure the access-list on the inside interface allow source to reach I also made sure NAT exemption is configured too for this one network I'm working with but when I try to perform a TCP session to a host ( that uses the ASA as a default gateway ( I get the message.

Sep 13 2009 15:27:11 ASA02 : %ASA-6-106015: Deny TCP (no connection) from to flags SYN ACK on interface insid


Can someone assist me with this configuration using the same-security interface permit intra-interface

Thanks in advance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Panos Kampanakis Thu, 10/29/2009 - 13:57
User Badges:
  • Cisco Employee,

What the syslog tells you there is that the ASA sees the SYN-ACK but it hasn't seen the SYN.

Are both hosts behind the ASA?

If yes, why do you want traffic to hit the ASA (same security intra command)?

If the ASA doesn't see then TCP SYN and it is routed directly between the hosts and then it sees the SYN-ACK it will be dropped due to stateful inspection.


mikewillis Thu, 10/29/2009 - 14:00
User Badges:

Both hosts are behind the ASA, however one host is behind a router which sits behind the ASA.

The combination of the stateful inspection command, the the static route pointing to itself has seemed to fix everything.


This Discussion