Menu

US Region

Grandmetric LLC
Brookfield Place Office
200 Vesey Street
New York, NY 10281
EIN: 98-1615498
Phone: +1 302 691 94 10

info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

Cisco ASA: Same security level interface

Design & Configure

Cisco ASA: Same security level interface

Technology: Network Security
Area: Firewalls
Vendor: Cisco
Software: 8.X, 9.X
Platform: Cisco ASA

Sometimes you cannot decide which interface should be higher or lower and you give two or more interfaces the same Security level. So how the rule number 1 applies? Traffic between equal security level interfaces is by default denied but you can change this behavior.

To change this, use command:

ASA#configure terminal
ASA(config)#same-security-traffic permit inter-interface

Above commands applies to traffic passing more than one interface (from on to another). What if you have traffic hairpining the same interface? The example could be VPN traffic with no split tunneling. All VPN users traffic which is vpn-encrypted bounces the outside interface and returns back to Internet unencrypted. This is intra-interface traffic and such scenario has to be allowed by intra command:

ASA#configure terminal
ASA(config)#same-security-traffic permit intra-interface

Author: Marcin Bialy
 
Previous Next
Grandmetric