allowing entry and exit of a packet through the same interface (asa 5500)

Unanswered Question
May 2nd, 2012

Can anyone help me with a big question I have.

pc test:



ASA firewall:

firewall (ASA 5500 Series): (interface 0/0 inside)

Routing 1: gw

Routing 2: gw



I explain what I want to do, as you can see the "test PC" tries to connect to the192.168.3.100 ip packet should go to the "router" by the action of "ruteo2".Since this action in the ASA log tells me that the package is removed.

What you want to do is allow the packet through the interface0 / 0 (inside) and exit the package through the same interface interface0 / 0 (inside)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
varrao Wed, 05/02/2012 - 13:27

What is the ASA code that you are using?? If it is pre 8.2, then you would need:

nat (inside) 10

global (inside) 10 interface

static (inside,inside) norand nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

and this should work,

Let me know if you are using code 8.3 or higher, the config would be different in that case.



varrao Wed, 05/02/2012 - 15:15

Hi Jesus,

Yes that statement is correct, since you're destination also lies behind the same interface behind whihc the source is.


prashantrecon Fri, 05/04/2012 - 06:39

Hi Varun,

can u explain me briefly . since network lies behind the same interface. which is sourece.But pbr is not supported by asa.

Please explain me with a scenario

varrao Sat, 05/05/2012 - 14:21

Hi Prashant,

this is not PBR, we are just routing packets on the ASA based on the nat statements.


                                                           /       \

                                                          /         \

                                                         /           \

                                                      host A       host B

Now just take the example, where host A is trying to access host B through RDP, then what you would first need is the command:

same-security-traffic permit intra-interface

This would enable the ASA capability to route the traffic back into the same interface from where it originated.

Then, you would need to create a nat for the source traffic as well:

nat (inside) 1

global (inside) 1 interface

which means, if the traffic is coming from inside and want to be routed back in, then it would be patted with the inside interface.

Now you would need to nat the destination as well (if nat control enabled):

static (inside,inside) norand nailed

because the source and destination of the packet are both inside interface.

sysopt noproxyarp inside (so that ASA doesn't proxy arp for any internal IP's)

PBR is different and it is routing done on the basis of a specific source and destination, we are here just hair-pinning the traffic, which is originated behind an interface and is destination is also behind the same interface.

Hope that helps.



John Peterson Tue, 05/08/2012 - 13:50

Hi Varun,

Why would you need to PAT the inside interface.

Please could you give a example?


varrao Tue, 05/08/2012 - 14:22

Hi John,

Its not a necessary config, but just a way to make sure the clients respond to the ping requests. In some scenarios, where you have multiple subnets behind the ASA interface or where the default gateway on the clients is not the ASA, but some other L3 hop, this helps. You can also do nat exempt for that traffic, depending upon your network.

Varun Rao
Security Team,
Cisco TAC


This Discussion