Although this may not be the most ideal design, you may find yourself needing to route traffic that is entering the inside interface of a Cisco ASA firewall back out the same inside interface. By default, traffic is not permitted to pass between interfaces with the same security level (including traffic traveling within the same interface). You can allow this type of behavior by using the same-security-traffic intra-interface command. However, it’s not that simple – there are a few more steps that many people/websites fail to address.
The diagram above shows an example scenario where this might be useful. As you can see, the host is on the 10.16.7.0/24 network and has a default gateway of 10.16.7.254 (this is the Cisco ASA). We need to allow traffic destined to the 172.16.1.0/24 network to be routed through the ASA as shown.
Cisco ASA Config Snippet:
Vlan 1 is the inside interface where traffic will enter and exit when destined for 172.16.1.0/24.
nameif inside security-level 100
ip address 10.16.7.254 255.255.255.0
Enable same-security-traffic permit intra-interface:
same-security-traffic permit intra-interface
Create a “tcp_bypass” access list that matches traffic flowing from the host to the destination network (10.16.7.0 —> 172.16.1.0):
access-list tcp_bypass extended permit tcp 10.16.7.0 255.255.255.0 172.16.1.0 255.255.255.0
Create objects for each network:
object network obj_10.16.7.0 subnet 10.16.7.0 255.255.255.0 object network obj_220.127.116.11 subnet 172.16.1.0 255.255.255.0
Add an “inside,inside” NAT statement (10.16.7.0—>10.16.7.0):
nat (inside,inside) source static obj_10.16.7.0 obj_10.16.7.0 destination static obj_172.16.1.0 obj_172.16.1.0
Add a route for the 172.16.1.0 network:
route inside 172.16.1.0 255.255.255.0 10.16.7.1
Create a global policy-map and a tcp_bypass policy map with the following options:
policy-map tcp_bypass class tcp_bypass
set connection random-sequence-number disable
set connection advanced-options tcp-state-bypass
Enable the policies:
service-policy global-policy global
service-policy tcp_bypass interface inside
The ASA should now route traffic sourced from the host network of 10.16.7.0/24 to the 172.16.1.0/24 network.