https://community.cisco.com/t5/network-security/asa-same-security-interface-permit-intra-interface/m-p/1261929#M809637 <HTML><HEAD></HEAD><BODY><P>Juan, Ive seen couple of similar threads before on this issue, quick searched this one thread, try this solution which should do the trick.</P><P></P><P><A class="jive-link-custom" href="http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Firewalling&amp;topicID=.ee6e1fa&amp;fromOutline=true&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc1d776/4" target="_blank">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Firewalling&amp;topicID=.ee6e1fa&amp;fromOutline=true&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc1d776/4</A></P><P></P><P></P></BODY></HTML> Sun, 13 Sep 2009 20:25:38 GMT JORGE RODRIGUEZ 2009-09-13T20:25:38Z https://community.cisco.com/t5/network-security/asa-same-security-interface-permit-intra-interface/m-p/1261928#M809632 <P>I would like to know how to use this command and any other related commands I need to make traffic enter and leave the same interface.</P><P></P><P>Basic network topology layout: </P><P>Internal network of ASA is 10.0.0.0/16</P><P></P><P>Networks inside the ASA I need to reach 172.16.2.0/24, 10.255.255.0/24, and 10.0.5.0/24 </P><P></P><P>I executed the same-security interface permit intra-interface without any luck.</P><P></P><P>I then created a static (inside,inside) 10.0.0.0 10.0.0.0 and I'm able to ping 10.255.255.x/24 I made sure the access-list on the inside interface allow source 10.0.0.0/16 to reach 10.255.255.0/24. I also made sure NAT exemption is configured too for this one network I'm working with but when I try to perform a TCP session to a host (10.0.120.20) that uses the ASA as a default gateway (10.0.100.244) I get the message.</P><P></P><P>Sep 13 2009 15:27:11 ASA02 : %ASA-6-106015: Deny TCP (no connection) from 10.0.120.20/3389 to 10.255.255.20/1141 flags SYN ACK on interface insid</P><P>E</P><P>Can someone assist me with this configuration using the same-security interface permit intra-interface </P><P>Thanks in advance.</P><P>Juan </P><P></P> Mon, 11 Mar 2019 16:14:55 GMT https://community.cisco.com/t5/network-security/asa-same-security-interface-permit-intra-interface/m-p/1261928#M809632 juan-ruiz 2019-03-11T16:14:55Z https://community.cisco.com/t5/network-security/asa-same-security-interface-permit-intra-interface/m-p/1261929#M809637 <HTML><HEAD></HEAD><BODY><P>Juan, Ive seen couple of similar threads before on this issue, quick searched this one thread, try this solution which should do the trick.</P><P></P><P><A class="jive-link-custom" href="http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Firewalling&amp;topicID=.ee6e1fa&amp;fromOutline=true&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc1d776/4" target="_blank">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Firewalling&amp;topicID=.ee6e1fa&amp;fromOutline=true&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc1d776/4</A></P><P></P><P></P></BODY></HTML> Sun, 13 Sep 2009 20:25:38 GMT https://community.cisco.com/t5/network-security/asa-same-security-interface-permit-intra-interface/m-p/1261929#M809637 JORGE RODRIGUEZ 2009-09-13T20:25:38Z https://community.cisco.com/t5/network-security/asa-same-security-interface-permit-intra-interface/m-p/1261930#M809644 <HTML><HEAD></HEAD><BODY><P>This the suggested link help you resolve this?</P></BODY></HTML> Thu, 29 Oct 2009 20:48:24 GMT https://community.cisco.com/t5/network-security/asa-same-security-interface-permit-intra-interface/m-p/1261930#M809644 mikewillis 2009-10-29T20:48:24Z https://community.cisco.com/t5/network-security/asa-same-security-interface-permit-intra-interface/m-p/1261931#M809665 <HTML><HEAD></HEAD><BODY><P>What the syslog tells you there is that the ASA sees the SYN-ACK but it hasn't seen the SYN.</P><P></P><P>Are both hosts behind the ASA?</P><P>If yes, why do you want traffic to hit the ASA (same security intra command)?</P><P></P><P>If the ASA doesn't see then TCP SYN and it is routed directly between the hosts and then it sees the SYN-ACK it will be dropped due to stateful inspection.</P><P></P><P>PK</P><P></P><P></P></BODY></HTML> Thu, 29 Oct 2009 20:57:58 GMT https://community.cisco.com/t5/network-security/asa-same-security-interface-permit-intra-interface/m-p/1261931#M809665 Panos Kampanakis 2009-10-29T20:57:58Z https://community.cisco.com/t5/network-security/asa-same-security-interface-permit-intra-interface/m-p/1261932#M809673 <HTML><HEAD></HEAD><BODY><P>Both hosts are behind the ASA, however one host is behind a router which sits behind the ASA. </P><P></P><P>The combination of the stateful inspection command, the the static route pointing to itself has seemed to fix everything. </P></BODY></HTML> Thu, 29 Oct 2009 21:00:41 GMT https://community.cisco.com/t5/network-security/asa-same-security-interface-permit-intra-interface/m-p/1261932#M809673 mikewillis 2009-10-29T21:00:41Z