ASA Same-security interface permit intra-interface

Unanswered Question
Sep 13th, 2009

I would like to know how to use this command and any other related commands I need to make traffic enter and leave the same interface.

Basic network topology layout:

Internal network of ASA is 10.0.0.0/16

Networks inside the ASA I need to reach 172.16.2.0/24, 10.255.255.0/24, and 10.0.5.0/24

I executed the same-security interface permit intra-interface without any luck.

I then created a static (inside,inside) 10.0.0.0 10.0.0.0 and I'm able to ping 10.255.255.x/24 I made sure the access-list on the inside interface allow source 10.0.0.0/16 to reach 10.255.255.0/24. I also made sure NAT exemption is configured too for this one network I'm working with but when I try to perform a TCP session to a host (10.0.120.20) that uses the ASA as a default gateway (10.0.100.244) I get the message.

Sep 13 2009 15:27:11 ASA02 : %ASA-6-106015: Deny TCP (no connection) from 10.0.120.20/3389 to 10.255.255.20/1141 flags SYN ACK on interface insid

E

Can someone assist me with this configuration using the same-security interface permit intra-interface

Thanks in advance.

Juan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Panos Kampanakis Thu, 10/29/2009 - 13:57

What the syslog tells you there is that the ASA sees the SYN-ACK but it hasn't seen the SYN.

Are both hosts behind the ASA?

If yes, why do you want traffic to hit the ASA (same security intra command)?

If the ASA doesn't see then TCP SYN and it is routed directly between the hosts and then it sees the SYN-ACK it will be dropped due to stateful inspection.

PK

mikewillis Thu, 10/29/2009 - 14:00

Both hosts are behind the ASA, however one host is behind a router which sits behind the ASA.

The combination of the stateful inspection command, the the static route pointing to itself has seemed to fix everything.

Actions

This Discussion