Cisco ASA: same-security-traffic intra-interface

Although this may not be the most ideal design, you may find yourself needing to route traffic that is entering the inside interface of a Cisco ASA firewall back out the same inside interface. By default, traffic is not permitted to pass between interfaces with the same security level (including traffic traveling within the same interface). You can allow this type of behavior by using the same-security-traffic intra-interface command. However, it’s not that simple – there are a few more steps that many people/websites fail to address.


The diagram above shows an example scenario where this might be useful. As you can see, the host is on the network and has a default gateway of (this is the Cisco ASA). We need to allow traffic destined to the network to be routed through the ASA as shown.

Cisco ASA Config Snippet:

Vlan 1 is the inside interface where traffic will enter and exit when destined for

interface Vlan1
  nameif inside security-level 100
  ip address

Enable same-security-traffic permit intra-interface:

same-security-traffic permit intra-interface

Create a “tcp_bypass” access list that matches traffic flowing from the host to the destination network ( —>
access-list tcp_bypass extended permit tcp

Create objects for each network:
object network obj_10.16.7.0 subnet object network obj_200.19.1.0 subnet

Add an “inside,inside” NAT statement (—>
nat (inside,inside) source static obj_10.16.7.0 obj_10.16.7.0 destination static obj_172.16.1.0 obj_172.16.1.0

Add a route for the network:
route inside 

Create a global policy-map and a tcp_bypass policy map with the following options:
policy-map global-policy
  class class-default
  user-statistics accounting

policy-map tcp_bypass class tcp_bypass
  set connection random-sequence-number disable
  set connection advanced-options tcp-state-bypass

Enable the policies:
service-policy global-policy global
service-policy tcp_bypass interface inside

The ASA should now route traffic sourced from the host network of to the network. 

Tagged , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: