I'm pretty sure that would be "same-security-traffic inter-interface" when the traffic is between sub-interfaces. "intra" should be on the same logical interface, whether physical or not.
On Tue, Sep 8, 2009 at 1:26 PM, Kingsley Charles <[email protected] > wrote: > Yes Paul, *same-security-traffic intra-interface* is required when the > sub-interfaces has the same security level. I have configured them also :-) > > With regards > Kings > > On Tue, Sep 8, 2009 at 10:20 PM, Paul Stewart <[email protected]> wrote: > >> I am going to admit that I have not read each of these posts. However, it >> seems that based on the last post and the question "what would the default >> gateway of the hosts be", that the concern is more intra-interface (or vlan) >> than between vlans. In other words, if you point a host to a subinterface >> on the asa, it will not (by default) route the traffic back out the same >> subinterface. It will route it to other subinterfaces (and interfaces) >> assuming the rules permit. There is a command that allows this to happen >> for ipsec, but I haven't tried it for clear text traffic, but I think it >> will work. In the old days of the PIX, you had to point the hosts to a >> router if there were other internal routes. The ASA command is the global >> configuration command "same-security-traffic permit intra-interface". See >> excerpt from the DocCD below. >> >> The *same-security-traffic intra-interface* command lets traffic enter >> and exit the same interface, which is normally not allowed. This feature >> might be useful for VPN traffic that enters an interface, but is then routed >> out the same interface. The VPN traffic might be unencrypted in this case, >> or it might be reencrypted for another VPN connection. For example, if you >> have a hub and spoke VPN network, where the security appliance is the hub, >> and remote VPN networks are spokes, for one spoke to communicate with >> another spoke, traffic must go into the security appliance and then out >> again to the other spoke. >> >> If this has already been covered, forgive me for not reading thoroughly >> enough. >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
