Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Does "same-security-traffic permit intra-interface" commad work?

Hello.

My default gateway is an ASA5505 and I need to route a network trought a router connected on the same interface of the source client.

So the traffic have to enter and exit by the same interface, to do that I use the same-security-traffic permit intra-interface command, but it works only with icmp traffic.

Why? What I have to do to permit all traffic?

My test configuration is the following:

ASA Version 7.2(3)

!

hostname ciscoasa

enable password xxx

names

!

interface Vlan1

nameif INSIDE

security-level 100

ip address 172.20.4.31 255.255.255.0

!

interface Ethernet0/0

!

interface Ethernet0/1

shutdown

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd xxx

ftp mode passive

same-security-traffic permit intra-interface

access-list ACL-INSIDE-IN extended permit ip any any

access-list ACL-INSIDE-OUT extended permit ip any any

pager lines 24

mtu INSIDE 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any INSIDE

no asdm history enable

arp timeout 14400

access-group ACL-INSIDE-IN in interface INSIDE

access-group ACL-INSIDE-OUT out interface INSIDE

route INSIDE 10.132.1.0 255.255.255.0 172.20.4.30 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp INSIDE

telnet 172.20.4.0 255.255.255.0 INSIDE

telnet timeout 5

ssh timeout 5

console timeout 0

management-access INSIDE

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

username test password xxx encrypted privilege 15

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Does "same-security-traffic permit intra-interface" commad w

to me it sound like the return traffic is not going the same way back.

client -> fw -> router -> destination

return traffic:

destination -> router -> client

so the state table of the connection might be broken. and icmp is working because its stateless.

just a guess - had a similar routing issue with two asa boxes in parallel setup (no HA).

9 REPLIES
New Member

Re: Does "same-security-traffic permit intra-interface" commad w

to me it sound like the return traffic is not going the same way back.

client -> fw -> router -> destination

return traffic:

destination -> router -> client

so the state table of the connection might be broken. and icmp is working because its stateless.

just a guess - had a similar routing issue with two asa boxes in parallel setup (no HA).

New Member

Re: Does "same-security-traffic permit intra-interface" commad w

Hello

Thank you very much for your answer.

I like your idea, but it raise a dubt in me.

I think, why does everything work fine, if I replace the ASA with a router?

Any idea?

Thank you again.

New Member

Re: Does "same-security-traffic permit intra-interface" commad w

I would agree with the previous poster. The router that you replace the ASA with would not be keeping a state table to break, just happily route away. The ASA however, on not seeing a SYNACK return through it for the SYN it has already seen, will deny the TCP connection.

New Member

Re: Does "same-security-traffic permit intra-interface" commad w

kagodfrey is right, there is no state table on an (ip base) router - maybe you would have the same issue with an fw ios on the router.

maybe you can reconfigure your routing: default gateway for all clients is the internal router, the internal router uses the asa as the default gw...

hope that helps,

regards,

juergen

New Member

Re: Does "same-security-traffic permit intra-interface" commad w

Yes it's right, I verified it monitoring the ASA interface with a protocol analyzer, frames from the PC get to the ASA and then from the ASA go to the router but nothing come back trought the ASA.

We can solve the problem working on the router, adding a static route that routes the router's local network trought the ASA.

That works but I don't think it's a good thing.

Thank you to all

New Member

Re: Does "same-security-traffic permit intra-interface" commad w

"We can solve the problem working on the router, adding a static route that routes the router's local network trought the ASA."#

wont work - that network is locally connected and so it already has a route to it - if you add a static route this one wont make it into the routing table because static routes have an administrative distance of 1 while locally connected network routes have an AD of 0.

changing the default gateway on all hosts is imho the best solution and your more flexible with a router as default gateway.

of course it can be a lot of work :-(

regards,

Juergen

New Member

Re: Does "same-security-traffic permit intra-interface" commad w

Yes, you are right.

In fact, I tried adding a static route only for my testing host, so the added route is a strictly match and it works, but you can't do the same with the entire network.

Regards

New Member

Re: Does "same-security-traffic permit intra-interface" commad w

Please confirm the network you are routing to.

You should be able to route a network from the firewall to the router both on the internal (inside) interface of the ASA.

Looking at the config the network in question is 10.132.10/24. Is this correct.

If so kindly show the router config (4.30)

Tim

New Member

Re: Does "same-security-traffic permit intra-interface" commad w

Yes the network is correct.

We are talking about a test enviroment, so the router has 2 ethernet interfaces configured respectively 172.20.4.30 and 10.132.1.30 and nothing else.

Regards

772
Views
0
Helpful
9
Replies
CreatePlease to create content