Which of the following commands should you issue to allow a packet to exit an ASA through the same interface
through which it entered the ASA? (Select the best answer.)
A.
samesecuritytraffic permit interinterface
B.
samesecuritytraffic permit intrainterface
C.
securitylevel 0
D.
securitylevel 100
E.
established
Explanation:
To allow a packet to exit a Cisco Adaptive Security Appliance (ASA) through the same interface through which
it entered, which is also known as hairpinning, you should issue the samesecuritytraffic permit intrainterface
command. By default, an ASA does not allow packets to enter and exit through the same physical interface.
However, because multiple logical virtual LANs (VLANs) can be assigned to the same physical interface, it is
sometimes necessary to allow a packet to enter and exit through the same interface. The samesecuritytraffic
permit intrainterface command allows packets to be sent and received from the same interface even if the
traffic is protected by IP Security (IPSec) security policies. Another scenario for which you would need to use
the samesecuritytraffic permit intrainterface command is if multiple users need to connect via virtual private
network (VPN) through the same physical interface. These users will not be able communicate with one
another unless the samesecuritytraffic permit intrainterface command has been issued from global
configuration mode.
You should not issue the samesecuritytraffic permit interinterface command to allow a packet to exit through
the same interface through which it entered. The samesecuritytraffic permit interinterface command is used to
allow communication between different interfaces that share the same security level. Typically, interfaces with
the same security level are not allowed to communicate with each other.
You should not issue either the securitylevel 0 command or the securitylevel 100command to allow a packet toexit through the same interface through which it entered. The securitylevel command is used to set the security
level on a physical interface. Security level 0 should be used to achieve the lowest security level possible,
whereas security level 100 should be used to achieve the highest security level available.
You should not issue the established command to allow a packet to exit through the same interface through
which it entered. The established command is used to allow inbound traffic on any interface that has already
established an outbound connection with the ASA. For example, you could issue the established tcp 4567 0
command to configure the ASA to allow an external host to initiate a connection through the ASA to an internal
host after the internal host has first established a Transmission Control Protocol (TCP) connection to port 4567
on the external host. The established command is often used to support protocols such as streaming media
protocols that negotiate the ports for return traffic.Reference: Cisco: Configuring Interfaces: Allowing Same
Security Level Communication