Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

same-security-traffic permit intra-interface

IS there any security risks using this in a IP-sec Spoke-to-Spoke design?

2 REPLIES
Bronze

Re: same-security-traffic permit intra-interface

The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed. This feature might be useful for VPN traffic that enters an interface, but is then routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for another VPN connection. For example, if you have a hub and spoke VPN network, where the security appliance is the hub, and remote VPN networks are spokes, for one spoke to communicate with another spoke, traffic must go into the security appliance and then out again to the other spoke.

Silver

Re: same-security-traffic permit intra-interface

I have seen issues where spoofed traffic created bogus conns with intra-interface configured. For example, source 192.168.1.10 destined: 4.4.4.4 on the outside interface. This traffic gets u-turned and if a packet for 192.168.1.10 enters the firewall on the inside it will be dropped because there is already a conn built on the outside interface.

The general recommendation is "don't use it if it's not absolutely necessary"

397
Views
0
Helpful
2
Replies