Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
866
Views
5
Helpful
4
Replies

ASA Same-security interface permit intra-interface

juan-ruiz
Level 1
Level 1

‎09-13-2009 11:37 AM - edited ‎03-11-2019 09:14 AM

I would like to know how to use this command and any other related commands I need to make traffic enter and leave the same interface.

Basic network topology layout:

Internal network of ASA is 10.0.0.0/16

Networks inside the ASA I need to reach 172.16.2.0/24, 10.255.255.0/24, and 10.0.5.0/24

I executed the same-security interface permit intra-interface without any luck.

I then created a static (inside,inside) 10.0.0.0 10.0.0.0 and I'm able to ping 10.255.255.x/24 I made sure the access-list on the inside interface allow source 10.0.0.0/16 to reach 10.255.255.0/24. I also made sure NAT exemption is configured too for this one network I'm working with but when I try to perform a TCP session to a host (10.0.120.20) that uses the ASA as a default gateway (10.0.100.244) I get the message.

Sep 13 2009 15:27:11 ASA02 : %ASA-6-106015: Deny TCP (no connection) from 10.0.120.20/3389 to 10.255.255.20/1141 flags SYN ACK on interface insid

E

Can someone assist me with this configuration using the same-security interface permit intra-interface

Thanks in advance.

Juan

Labels:
0 Helpful
4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

‎09-13-2009 01:25 PM

Juan, Ive seen couple of similar threads before on this issue, quick searched this one thread, try this solution which should do the trick.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc1d776/4

Jorge Rodriguez

mikewillis
Level 1
Level 1

‎10-29-2009 01:48 PM

This the suggested link help you resolve this?

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee

‎10-29-2009 01:57 PM

What the syslog tells you there is that the ASA sees the SYN-ACK but it hasn't seen the SYN.

Are both hosts behind the ASA?

If yes, why do you want traffic to hit the ASA (same security intra command)?

If the ASA doesn't see then TCP SYN and it is routed directly between the hosts and then it sees the SYN-ACK it will be dropped due to stateful inspection.

PK

0 Helpful

mikewillis
Level 1
Level 1
In response to Panos Kampanakis

‎10-29-2009 02:00 PM

Both hosts are behind the ASA, however one host is behind a router which sits behind the ASA.

The combination of the stateful inspection command, the the static route pointing to itself has seemed to fix everything.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card