[TABS_R id=8782]
What is the effect of the samesecuritytraffic permit intrainterface command on a Cisco ASA? (Select the best answer.)
- It allows communication between different interfaces that share the same security level.
- It allows traffic to exit the same interface through which it entered.
- It allows outbound traffic and the corresponding return traffic to pass through different ASAs.
- It allows traffic destined to unprotected subnets to bypass a VPN tunnel.
Explanation:
On a Cisco Adaptive Security Appliance (ASA), the samesecuritytraffic permit intrainterface command allows traffic to exit the same interface through which it entered, which is also known as hairpinning. By default, an ASA does not allow packets to enter and exit through the same physical interface. However, because multiple logical virtual LANs (VLANs) can be assigned to the same physical interface, it is sometimes necessary to allow a packet to enter and exit through the same interface. The samesecuritytraffic permit intrainterface command allows packets to be sent and received from the same interface even if the traffic is protected by IP Security (IPSec) security policies. Another scenario for which you would need to use the samesecuritytraffic permit intrainterface command is if multiple users need to connect via virtual private network (VPN) through the same physical interface. These users will not be able communicate with one another unless the samesecuritytraffic permit intrainterface command has been issued from global configuration mode.
The samesecuritytraffic permit interinterface command, not the samesecuritytraffic permit intrainterface command, allows communication between different interfaces that share the same security level. By default, interfaces with the same security level are not allowed to communicate with each other.
A split tunneling policy, not the samesecuritytraffic permit intrainterfacecommand, allows traffic destined to unprotected subnets to bypass an encrypted tunnel. With split tunneling, only traffic destined to protected subnets is routed through the appropriate VPN tunnel. Traffic destined to unprotected subnets, such as the Internet, can bypass the tunnel and be routed normally. You can issue the splittunnelpolicy and splittunnelnetworklist commands to configure a split tunneling policy.
Transmission Control Protocol (TCP) bypass, not the samesecuritytraffic permit intrainterface command, allows outbound traffic and the corresponding return traffic to pass through different ASAs. With TCP state bypass, an ASA will allow a specific class of traffic to pass through the ASA without the traffic class having an entry in the ASA’s state table. TCP state bypass is disabled by default. You can issue the set connection advancedoptions tcpstatebypass command to enable the TCP state bypass feature.
[TABS_R id=8782]