2 Replies Latest reply: Aug 26, 2010 2:33 AM by Paul Stewart - CCIE Security RSS

    ASA Intra-interface Vs Inter-Interface

    CCIE Want2Be



      I have a very specific question on the usage of Inter-interface versus Intra-Interface


      When would you use Intra Vs Inter?


      When reading the various documents I have found two scenarios:


      Scenario 1 IPSEC and Hairpining use -> Intra-interface

      Scenario 2 Same-Security Level and no access-lists use -> Inter-Interface



      Does anyone have a better document that describes this a little more clearly or have a better description of the uses of these commands?


      Many Thanks


        • 1. Re: ASA Intra-interface Vs Inter-Interface
          Paul Stewart  -  CCIE Security

          Intra-interface--anytime an ASA receives traffic on an interface and it is to route the traffic back out the same interface


          Inter-interface--anytime an ASA receives traffic on an interface and is to route the traffic out another interface of equal security level.


          So I think this is exactly what you are saying.  The command is to permit traffic that is sourced and destined to the same security level.  When we are bouncing traffic off a single interface, that interface can have only a single value.  To me it's just easier to think about it in terms of "intra" meaning "within" or "same" as opposed to the use cases of the command.  So anytime an ASA receives a packet on the outside interface (could be any interface) and that packet must go out that same interface, that would be intra interface.  It could be encrypted, or not.  Inter means between.  So anytime traffic is going between two interfaces of the same value, this is required if there are no acl's to permit the traffic. HTH

          • 2. Re: ASA Intra-interface Vs Inter-Interface
            Kingsley - CCSP/CCIP/ CCNP/CCIE Security

            I think you are refering to


            same-security-traffic permit inter-interface

            same-security-traffic permit intra-interface



            Inter is between two different interfaces with same security level. It can also be two sub-interfaces of same physical interface.


            As you said, "Intra" is used during hairpining. The best example is when EzVPN client connects to ASA (Server) with no split tunneling. The internet traffic from the client is routed by the ASA. Any internet from client comes to ASA and is routed back through the outside interface to internet.



            With regards