Cisco ASA: same-security-traffic intra-interface

Although this may not be the most ideal design, you may find yourself needing to route traffic that is entering the inside interface of a Cisco ASA firewall back out the same inside interface. By default, traffic is not permitted to pass between interfaces with the same security level (including traffic traveling within the same interface). You can allow this type of behavior by using the same-security-traffic intra-interface command. However, it’s not that simple – there are a few more steps that many people/websites fail to address.

image

The diagram above shows an example scenario where this might be useful. As you can see, the host is on the 10.16.7.0/24 network and has a default gateway of 10.16.7.254 (this is the Cisco ASA). We need to allow traffic destined to the 172.16.1.0/24 network to be routed through the ASA as shown.

Cisco ASA Config Snippet:

Vlan 1 is the inside interface where traffic will enter and exit when destined for 172.16.1.0/24.

interface Vlan1
  nameif inside security-level 100
  ip address 10.16.7.254 255.255.255.0

Enable same-security-traffic permit intra-interface:

same-security-traffic permit intra-interface

Create a “tcp_bypass” access list that matches traffic flowing from the host to the destination network (10.16.7.0 —> 172.16.1.0):
access-list tcp_bypass extended permit tcp 10.16.7.0 255.255.255.0 172.16.1.0 255.255.255.0

Create objects for each network:
object network obj_10.16.7.0 subnet 10.16.7.0 255.255.255.0 object network obj_200.19.1.0 subnet 172.16.1.0 255.255.255.0

Add an “inside,inside” NAT statement (10.16.7.0—>10.16.7.0):
nat (inside,inside) source static obj_10.16.7.0 obj_10.16.7.0 destination static obj_172.16.1.0 obj_172.16.1.0

Add a route for the 172.16.1.0 network:
route inside 172.16.1.0 255.255.255.0 10.16.7.1 

Create a global policy-map and a tcp_bypass policy map with the following options:
policy-map global-policy
  class class-default
  user-statistics accounting

policy-map tcp_bypass class tcp_bypass
  set connection random-sequence-number disable
  set connection advanced-options tcp-state-bypass

Enable the policies:
service-policy global-policy global
service-policy tcp_bypass interface inside

The ASA should now route traffic sourced from the host network of 10.16.7.0/24 to the 172.16.1.0/24 network. 

Tagged , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: