Solved: Re: same security traffic

lcaruso · ‎03-10-2011

Hi,

I've been tasked with cleaning up some old client configurations. Can anyone list the legitimate uses of

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

I know intra-interface can be used for hairpinning remote access vpn connections. What else?

I know inter-interface can be used to avoid the need for nat when to interfaces need to communicate. What else?

If you were considering whether or not to remove these statements, what speficially would you be looking for?

Thanks.

Jennifer Halim · ‎03-10-2011

Spot on.... sorry, wrong information about the NAT with same-security-traffic

Here is the Cisco doc as well for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wpxref77088

and more about the same-security-traffic:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1061479

View solution in original post

Jennifer Halim · ‎03-10-2011

The "same-security-traffic" is used to avoid the need to configure access-list to allow communication flow between the 2 or more interfaces in the same security level. NAT still needs to be configured despite the "same-security-traffic" command.

Further to that, it also enables traffic to be routed in and out the same interface for "permit intra-interface", ie: hairpin as you have described it.

If you are considering to remove:

"inter-interface" --> look to see if you have any interfaces having the same security level. If you don't, then it's safe to remove.

"intra-interface" --> VPN hairpin as well as if you have a need to hairpin traffic in and out the same interface.

Hope that helps.

lcaruso · ‎03-10-2011

First, thanks for your reply and giving me good ideas as to what to look for. Then, regarding your statement

NAT still needs to be configured despite the "same-security-traffic" command

Sorry, but I found someone who disagrees with this statement

Cisco ASA, PIX, and FWSM Firewall Handbook (2nd Edition)

David Hucaby (Author)

6-2: Address Translation

Cisco firewalls provide security policies and traffic inspection using two basic principles:

• Address translation—When a host on one firewall interface initiates a connection to a host on

a different interface, the firewall must provide a way to translate the IP addresses across itself

appropriately. Even if the IP addresses should appear identically on both sides of the firewall, a

translation must still occur.

One exception to this is when the same-security-traffic command is used to allow

traffic to pass between interfaces with an identical security level. In that case, address

translation can still be configured if it is needed, but it is not required. The other

exception is when the no nat-control command is used. This is the default beginning

with ASA 7.0 and FWSM 3.1(1), which allows hosts to initiate connections through

the firewall without requiring address translation.

Jennifer Halim · ‎03-10-2011

Spot on.... sorry, wrong information about the NAT with same-security-traffic

Here is the Cisco doc as well for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wpxref77088

and more about the same-security-traffic:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1061479

lcaruso · ‎03-10-2011

thanks for the links!

lcaruso · ‎03-21-2011

I came across some practical examples in my work recently for the same-security-traffic permit-intra interface.

When the ASA is the default gateway for workstations at a site that also has another internal subnet not directly connected to the ASA which the ASA routes to, basically sending packets right back out the same interface they came from.

The other was VPN on a stick with a central hub site and several spokes.