Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1352
Views
0
Helpful
3
Replies

ASA traffice get denied when ingress and egress is the same one

Go to solution
Ge Qu
Level 1
Level 1

‎07-10-2017 09:39 AM - edited ‎03-12-2019 02:40 AM

Hi,

I have a firewall that trffice goes in to interface xxx and I allowed from host A to host B, but i also have a route to route the traffic destinated to B to interface XXX.

However, I always get deny from A to B, if I remove the route to interface XXX, I am not getting the deny anymore.

Is this a feature on ASA that I cannot receive and send the traffice on the same interface?

Thank you.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-10-2017 09:50 AM

Hi,

Check this command:
same-security-traffic permit {inter-interface | intra-interface}

By default, traffic ingressing and egressing from same interface is not allowed. You need to enable the command to do so.

Reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s1.html#wp1421315

Regards
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to Ge Qu

‎07-10-2017 06:35 PM

You can check the following document to leverage both ISPs at the same time

https://supportforums.cisco.com/document/59986/loadbalancing-dual-isp-asa

Regards
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-10-2017 09:50 AM

Hi,

Check this command:
same-security-traffic permit {inter-interface | intra-interface}

By default, traffic ingressing and egressing from same interface is not allowed. You need to enable the command to do so.

Reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s1.html#wp1421315

Regards
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
Ge Qu
Level 1
Level 1
In response to Dinesh Moudgil

‎07-10-2017 12:16 PM

Hi Dinesh,

Thank you for your reply. It resolved my issue.

I have another question. Can i add 2 static routes to the same destination but next hop is different? For example:

route AAA 0.0.0.0 0.0.0.0 1.2.3.4

route BBB 0.0.0.0 0.0.0.0 5.6.7.8

and if it's possible, the traffice will be load balanced between those 2 interface?

Thank you.

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to Ge Qu

‎07-10-2017 06:35 PM

You can check the following document to leverage both ISPs at the same time

https://supportforums.cisco.com/document/59986/loadbalancing-dual-isp-asa

Regards
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card