Same-security-traffic permit intra-interface:
The security appliance includes a feature that lets a VPN client send IPSec-protected traffic to another VPN user by allowing such traffic in and out of the same interface. Also called “hairpinning”, this feature can be thought of as VPN spokes (clients) connecting through a VPN hub (Security appliance).

Same-security-traffic permit inter-interface:
Use the same-security-traffic command, but with inter-interface argument, to permit communication between interfaces that have the same security level. This feature is not specific to IPSec connections.

Aguilera,

I have read that too in the Cisco site, but, the reality is that it si not working for me, or I am missing something here.

I have 3 interfaces in the PIX(Outside, Inside, Inside10), Inside and inside10 have the same security level, 100. I have issued the command same-security-traffic permit inter-interface in global configuration mode to allow traffic between the internal networks, but it is not passing through.
Do I need Access Lists configured on the interfaces, or maybe I need to create NAT between the two networks???

No as per this document:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/asacfg72.pdf (http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/asacfg72.pdf)

But I haven't found any clear example yet on the internet.
The Pix IOS version is 7.2(4)
Any help will be really appreciated.
Thanks,

Michel

You DO need to configure NAT between two interfaces set to the same-security-level if using either dynamic NAT or PAT. See page 17-13 of the PDF you referenced. That whole chapter is very informative.

Ok, sorry for the delay.

You see one thing we have to remember about moving from the 6x to 7 or even 8x of the Firewall OS is that sneaky little nat-control command.

By default NAT is NOT enforced, which means there is NO need whatsoever to create ANY Address Translation Rules! Translation rules will be observed if they are configured, but not enforced if they are not.

Ok, got that out of the way.

Now lets get a firm grasp on the DEFAULT nature of how the PIX/ASA manages traffic between different interfaces. By default the PIX/ASA will allow connections from Higher Security Levels to Lower Security Levels. If nat-control is disabled, then traffic will flow freely if traffic is initiated from a Higher Security Level being routed to a Lower Security Level. Got it... cool, lets stick with it. All traffic sourced from a lower security level being routed to a higher security level will be dropped by default.

So, Hi to Low... good to go! Low to Hi... sorry bye! Equal to Equal??? There is no default rule for that, so the PIX/ASA says too bad so sad.... unless we configure the same-security-traffic permit inter-interface.

I sure hope this helps!

Feel free to respond to the post or send me an email!

Dan Aguilera

I can be reached at my first name dot my last name at FidelisNetworks dot com

Good luck and keep in touch! ;)