Solved: ASA 5505 :: Does "same-security-traffic" make sense with base li

newmindeye · ‎10-27-2011

Hey all.

Looks like at some point a Cisco TAC member added, "same-security-traffic permit intra-interface" to my config. Since I have a base license, I only have 3 vlans (2 1/2 really): inside, outside and dmz, which are on security levels 100, 0, and 50, respectively.

What is the point of "same-security-traffic permit intra-interface" when each interface is on a different security level?

Basically, is there any reason at all to keep the rule in place or can I safely remove it?

Thanks

varrao · ‎10-27-2011

Hi Noah,

Yes, you can very well delete it, it doesnt server any purpose of none if the interfaces are on same security levels.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎10-27-2011

Hi Noah,

It says "intra-interface" not "inter-interface". Intra-interface is used to u-turn the traffic when the source and destination are both behind teh same interface. If you have any such requirement , don't remove it otherwise you can.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

newmindeye · ‎10-27-2011

@Varun, thanks, but actual rule in place is, "same-security-traffic permit inter-interface"

Think I was googling and "intra" came up without my noticing it.

So, given that the rule is inter-interface, does it serve any purpose in my setup?

varrao · ‎10-27-2011

Hi Noah,

Yes, you can very well delete it, it doesnt server any purpose of none if the interfaces are on same security levels.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

newmindeye · ‎10-27-2011

done, removed, thanks ;-)

ASA 5505 :: Does "same-security-traffic" make sense with base license?