Skip navigation
Login   |   Register
Cisco Learning Home > CCIE Security Study Group > Discussions
This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
10333 Views 2 Replies Latest reply: Aug 26, 2010 2:33 AM by Paul Stewart - CCIE Security RSS

Currently Being Moderated

ASA Intra-interface Vs Inter-Interface

Aug 26, 2010 1:29 AM

CCIE Want2Be 4 posts since
May 1, 2008



I have a very specific question on the usage of Inter-interface versus Intra-Interface


When would you use Intra Vs Inter?


When reading the various documents I have found two scenarios:


Scenario 1 IPSEC and Hairpining use -> Intra-interface

Scenario 2 Same-Security Level and no access-lists use -> Inter-Interface



Does anyone have a better document that describes this a little more clearly or have a better description of the uses of these commands?


Many Thanks

  • Paul Stewart  -  CCIE Security 7,570 posts since
    Jul 18, 2008
    Currently Being Moderated
    1. Aug 26, 2010 2:33 AM (in response to CCIE Want2Be)
    Re: ASA Intra-interface Vs Inter-Interface

    Intra-interface--anytime an ASA receives traffic on an interface and it is to route the traffic back out the same interface


    Inter-interface--anytime an ASA receives traffic on an interface and is to route the traffic out another interface of equal security level.


    So I think this is exactly what you are saying.  The command is to permit traffic that is sourced and destined to the same security level.  When we are bouncing traffic off a single interface, that interface can have only a single value.  To me it's just easier to think about it in terms of "intra" meaning "within" or "same" as opposed to the use cases of the command.  So anytime an ASA receives a packet on the outside interface (could be any interface) and that packet must go out that same interface, that would be intra interface.  It could be encrypted, or not.  Inter means between.  So anytime traffic is going between two interfaces of the same value, this is required if there are no acl's to permit the traffic. HTH

    Join this discussion now: Login / Register
  • I think you are refering to


    same-security-traffic permit inter-interface

    same-security-traffic permit intra-interface



    Inter is between two different interfaces with same security level. It can also be two sub-interfaces of same physical interface.


    As you said, "Intra" is used during hairpining. The best example is when EzVPN client connects to ASA (Server) with no split tunneling. The internet traffic from the client is routed by the ASA. Any internet from client comes to ASA and is routed back through the outside interface to internet.



    With regards


    Join this discussion now: Login / Register


More Like This

  • Retrieving data ...

Bookmarked By (0)