Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
731
Views
0
Helpful
2
Replies

PIX/ASA 7.x as router- "same-security-traffic permit intra-interface"

Go to solution
0r8it
Level 1
Level 1

‎10-24-2006 06:57 AM - edited ‎02-21-2020 01:15 AM

Hope someone can help.

2 gateways on a LAN; local IP's are:-

#1=192.64.10.212 (ASA)

#2=192.64.10.213 (827)

ASA leads to Internet; 827 leads to 3 remote sites connected by vpn.

All LAN devices use ASA as gateway.

Internet access works OK.

My question:

If a local device on the '192 LAN' wants to talk to one of the devices on a 'vpn' LAN, it cannot.

I've assumed this is a routing issue, as if I add an explicit route to allow a '192 LAN' device to reach the 'vpn' host via 192.64.10.213, it can then reach it.

So- when I do the following 2 things:

#1: issue the command ""same-security-traffic permit intra-interface" on the ASA

#2: add the appropriate routes to the ASA

Should I not then be able to go:

-from my 192-device to ASA

-get the ASA to forward traffic to my VPN gateway

-get a response?

Any ideas gratefully received-

Gary

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
m-haddad
Level 5
Level 5

‎10-24-2006 07:07 AM

Yes you should be able to perform that. Once you add a static route on the ASA for the remote sites to the internal gateway it should work.

You can do a trace route and see the traffic flow path.

Another method is set your client's default gateway to the 827 router and on the 827 router do a default route to the ASA. IN this way, you will offload the ASA from routing and you won't need the above steps. All traffic going to the sites will be done by the 827 and all other traffic will be forwarded to the ASA. Always try to have one central point for routing to lower the administration requirements.

Hope this could help,

Regards,

View solution in original post

0 Helpful
2 Replies 2

Go to solution
m-haddad
Level 5
Level 5

‎10-24-2006 07:07 AM

Yes you should be able to perform that. Once you add a static route on the ASA for the remote sites to the internal gateway it should work.

You can do a trace route and see the traffic flow path.

Another method is set your client's default gateway to the 827 router and on the 827 router do a default route to the ASA. IN this way, you will offload the ASA from routing and you won't need the above steps. All traffic going to the sites will be done by the 827 and all other traffic will be forwarded to the ASA. Always try to have one central point for routing to lower the administration requirements.

Hope this could help,

Regards,

0 Helpful

Go to solution
0r8it
Level 1
Level 1
In response to m-haddad

‎10-24-2006 09:12 AM

Thanks for your response.

I thought as much; I had configured things in this manner but, for some reason (gateway issues? client expects a response from the ASA?) the packets dont make their way back to the client devices.

I suspect the 827 would be a better bet for routing (it is a router, after all :( ).

My regards,

Gary

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card