Jul 20, 2010

Controlling intra-interface traffic

If you need to allow unencrypted traffic to flow through the same interface (e.g., from inside to inside), you just need to enable the command below.

(config)# same-security-traffic permit intra-interface

Cisco published an article explaining that configuration. However, if the firewall policy has NAT rules, that configuration is not the only thing you should set to have it working. I will use as an example the following scenario, which is similar to the one presented in the Cisco's article.

The relevant settings to this article are:

route inside 1
access-list nonat extended permit ip
nat (inside) 0 access-list nonat
nat (inside) 1
global (outside) 1 interface

If you run a ping or generate any traffic from to, the firewall will block the connection attempt and generate the log message below:

%ASA-3-305006: portmap translation creation failed for icmp src inside: dst inside: (type 8, code 0)

After to receive the traffic, the firewall checks the NAT rules. The rule type priority is considered while it tries to find a matching one. In this case, first of all the NAT Exemption (nat 0) would be checked. Since the traffic comes from the inside and would be forwarded to the same network, that rule doesn't match because the NAT Exemption only works for inter-interface traffic. (e.g., from inside to dmz). Then the Regular Dynamic PAT rule (nat 1) would be checked. This one matches the traffic since it has been defined to match traffic from any source to any destination. However, there is only one global rule assigned to the outside interface. The mapping, therefore, would fail.

To avoid this issue, you have to implement a Regular Static Identity NAT just like the following example:
asa(config)# static (inside,inside) netmask

asa(config)# end
asa# wr mem


  1. thank you very much for this ...this assisted in us overcoming a major comms issue to a credit checking fascility ...