topic Re: Does "same-security-traffic permit intra-interface" commad w in Network Security

Does "same-security-traffic permit intra-interface" commad work?

netadminquid — Mon, 11 Mar 2019 11:32:48 GMT

Hello.

My default gateway is an ASA5505 and I need to route a network trought a router connected on the same interface of the source client.

So the traffic have to enter and exit by the same interface, to do that I use the same-security-traffic permit intra-interface command, but it works only with icmp traffic.

Why? What I have to do to permit all traffic?

My test configuration is the following:

ASA Version 7.2(3)

hostname ciscoasa

enable password xxx

names

interface Vlan1

nameif INSIDE

security-level 100

ip address 172.20.4.31 255.255.255.0

interface Ethernet0/0

interface Ethernet0/1

shutdown

interface Ethernet0/2

shutdown

interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

passwd xxx

ftp mode passive

same-security-traffic permit intra-interface

access-list ACL-INSIDE-IN extended permit ip any any

access-list ACL-INSIDE-OUT extended permit ip any any

pager lines 24

mtu INSIDE 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any INSIDE

no asdm history enable

arp timeout 14400

access-group ACL-INSIDE-IN in interface INSIDE

access-group ACL-INSIDE-OUT out interface INSIDE

route INSIDE 10.132.1.0 255.255.255.0 172.20.4.30 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp INSIDE

telnet 172.20.4.0 255.255.255.0 INSIDE

telnet timeout 5

ssh timeout 5

console timeout 0

management-access INSIDE

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

username test password xxx encrypted privilege 15

Thanks

Re: Does "same-security-traffic permit intra-interface" commad w

bauer.juergen — Wed, 21 Nov 2007 13:52:09 GMT

to me it sound like the return traffic is not going the same way back.

client -> fw -> router -> destination

return traffic:

destination -> router -> client

so the state table of the connection might be broken. and icmp is working because its stateless.

just a guess - had a similar routing issue with two asa boxes in parallel setup (no HA).

Re: Does "same-security-traffic permit intra-interface" commad w

netadminquid — Wed, 21 Nov 2007 14:21:18 GMT

Hello

Thank you very much for your answer.

I like your idea, but it raise a dubt in me.

I think, why does everything work fine, if I replace the ASA with a router?

Any idea?

Thank you again.

Re: Does "same-security-traffic permit intra-interface" commad w

kagodfrey — Wed, 21 Nov 2007 14:30:17 GMT

I would agree with the previous poster. The router that you replace the ASA with would not be keeping a state table to break, just happily route away. The ASA however, on not seeing a SYNACK return through it for the SYN it has already seen, will deny the TCP connection.

Re: Does "same-security-traffic permit intra-interface" commad w

bauer.juergen — Wed, 21 Nov 2007 15:50:28 GMT

kagodfrey is right, there is no state table on an (ip base) router - maybe you would have the same issue with an fw ios on the router.

maybe you can reconfigure your routing: default gateway for all clients is the internal router, the internal router uses the asa as the default gw...

hope that helps,

regards,

juergen

Re: Does "same-security-traffic permit intra-interface" commad w

netadminquid — Thu, 22 Nov 2007 10:28:55 GMT

Yes it's right, I verified it monitoring the ASA interface with a protocol analyzer, frames from the PC get to the ASA and then from the ASA go to the router but nothing come back trought the ASA.

We can solve the problem working on the router, adding a static route that routes the router's local network trought the ASA.

That works but I don't think it's a good thing.

Thank you to all

Re: Does "same-security-traffic permit intra-interface" commad w

bauer.juergen — Thu, 22 Nov 2007 14:58:56 GMT

"We can solve the problem working on the router, adding a static route that routes the router's local network trought the ASA."#

wont work - that network is locally connected and so it already has a route to it - if you add a static route this one wont make it into the routing table because static routes have an administrative distance of 1 while locally connected network routes have an AD of 0.

changing the default gateway on all hosts is imho the best solution and your more flexible with a router as default gateway.

of course it can be a lot of work 😞

regards,

Juergen

Re: Does "same-security-traffic permit intra-interface" commad w

netadminquid — Thu, 22 Nov 2007 15:40:35 GMT

Yes, you are right.

In fact, I tried adding a static route only for my testing host, so the added route is a strictly match and it works, but you can't do the same with the entire network.

Regards

Re: Does "same-security-traffic permit intra-interface" commad w

timkaye — Tue, 27 Nov 2007 04:33:28 GMT

Please confirm the network you are routing to.

You should be able to route a network from the firewall to the router both on the internal (inside) interface of the ASA.

Looking at the config the network in question is 10.132.10/24. Is this correct.

If so kindly show the router config (4.30)

Tim

Re: Does "same-security-traffic permit intra-interface" commad w

netadminquid — Tue, 27 Nov 2007 08:58:08 GMT

Yes the network is correct.

We are talking about a test enviroment, so the router has 2 ethernet interfaces configured respectively 172.20.4.30 and 10.132.1.30 and nothing else.

Regards