Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

same-security-traffic permit intra-interface

IS there any security risks using this in a IP-sec Spoke-to-Spoke design?


Re: same-security-traffic permit intra-interface

The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed. This feature might be useful for VPN traffic that enters an interface, but is then routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for another VPN connection. For example, if you have a hub and spoke VPN network, where the security appliance is the hub, and remote VPN networks are spokes, for one spoke to communicate with another spoke, traffic must go into the security appliance and then out again to the other spoke.


Re: same-security-traffic permit intra-interface

I have seen issues where spoofed traffic created bogus conns with intra-interface configured. For example, source destined: on the outside interface. This traffic gets u-turned and if a packet for enters the firewall on the inside it will be dropped because there is already a conn built on the outside interface.

The general recommendation is "don't use it if it's not absolutely necessary"