Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1688
Views
0
Helpful
2
Replies

same-security-traffic permit intra-interface

johng231
Level 3
Level 3

‎06-15-2009 09:44 AM - edited ‎03-11-2019 08:43 AM

IS there any security risks using this in a IP-sec Spoke-to-Spoke design?

Labels:
0 Helpful
2 Replies 2

hadbou
Level 5
Level 5

‎06-19-2009 12:59 PM

The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed. This feature might be useful for VPN traffic that enters an interface, but is then routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for another VPN connection. For example, if you have a hub and spoke VPN network, where the security appliance is the hub, and remote VPN networks are spokes, for one spoke to communicate with another spoke, traffic must go into the security appliance and then out again to the other spoke.

0 Helpful

plumbis
Level 7
Level 7
In response to hadbou

‎06-25-2009 07:34 PM

I have seen issues where spoofed traffic created bogus conns with intra-interface configured. For example, source 192.168.1.10 destined: 4.4.4.4 on the outside interface. This traffic gets u-turned and if a packet for 192.168.1.10 enters the firewall on the inside it will be dropped because there is already a conn built on the outside interface.

The general recommendation is "don't use it if it's not absolutely necessary"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card