Knowledge Base

Design & Configure

Cisco ASA: Same security level interface

Technology: Network Security
Area: Firewalls
Vendor: Cisco
Software: 8.X, 9.X
Platform: Cisco ASA

Sometimes you cannot decide which interface should be higher or lower and you give two or more interfaces the same Security level. So how the rule number 1 applies? Traffic between equal security level interfaces is by default denied but you can change this behavior.

To change this, use command:

ASA#configure terminal
ASA(config)#same-security-traffic permit inter-interface

Above commands applies to traffic passing more than one interface (from on to another). What if you have traffic hairpining the same interface? The example could be VPN traffic with no split tunneling. All VPN users traffic which is vpn-encrypted bounces the outside interface and returns back to Internet unencrypted. This is intra-interface traffic and such scenario has to be allowed by intra command:

ASA#configure terminal
ASA(config)#same-security-traffic permit intra-interface

Author: Marcin Bialy