Yes Paul, *same-security-traffic intra-interface* is required when the sub-interfaces has the same security level. I have configured them also :-)
With regards Kings On Tue, Sep 8, 2009 at 10:20 PM, Paul Stewart <[email protected]> wrote: > I am going to admit that I have not read each of these posts. However, it > seems that based on the last post and the question "what would the default > gateway of the hosts be", that the concern is more intra-interface (or vlan) > than between vlans. In other words, if you point a host to a subinterface > on the asa, it will not (by default) route the traffic back out the same > subinterface. It will route it to other subinterfaces (and interfaces) > assuming the rules permit. There is a command that allows this to happen > for ipsec, but I haven't tried it for clear text traffic, but I think it > will work. In the old days of the PIX, you had to point the hosts to a > router if there were other internal routes. The ASA command is the global > configuration command "same-security-traffic permit intra-interface". See > excerpt from the DocCD below. > > The *same-security-traffic intra-interface* command lets traffic enter and > exit the same interface, which is normally not allowed. This feature might > be useful for VPN traffic that enters an interface, but is then routed out > the same interface. The VPN traffic might be unencrypted in this case, or it > might be reencrypted for another VPN connection. For example, if you have a > hub and spoke VPN network, where the security appliance is the hub, and > remote VPN networks are spokes, for one spoke to communicate with another > spoke, traffic must go into the security appliance and then out again to the > other spoke. > > If this has already been covered, forgive me for not reading thoroughly > enough. >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
