Which of the following commands should you issue to allow communication between different ASA interfaces
that share the same security level? (Select the best answer.)
A.
samesecuritytraffic permit interinterface
B.
samesecuritytraffic permit intrainterface
C.
securitylevel 0
D.
securitylevel 100
E.
established
Explanation:
You should issue the samesecuritytraffic permit interinterface command on a Cisco Adaptive Security
Application (ASA) to allow communication between different interfaces that share the same security level.
Typically, interfaces with the same security level are not allowed to communicate with each other.
You should not issue the samesecurity traffic permit intrainterface command to allow communication between
different interfaces that share the same security level. You should issue the samesecuritytraffic permit
intrainterface command to allow a packet to exit an ASA through the same interface through which it entered,
which is also known as hairpinning. By default, an ASA does not allow packets to enter and exit through the
same physical interface. However, because multiple logical virtual LANs (VLANs) can be assigned to the same
physical interface, it is sometimes necessary to allow a packet to enter and exit through the same interface.
The samesecuritytraffic permit intrainterface command allows packets to be sent and received from the same
interface even if the traffic is protected by IP Security (IPSec) security policies. Another scenario for which you
would need to use the samesecuritytraffic permit intrainterface command is if multiple users need to connect
via virtual private network (VPN) through the same physical interface. These users will not be able
communicate with one another unless the samesecuritytraffic permit intrainterface command has been issued
from global configuration mode.
You should not issue either the securitylevel 0 command or the securitylevel 100 command to allow
communication between different interfaces that share the same security level. The securitylevel command is
used to set the security level on a physical interface. Security level 0 should be used to achieve the lowest
security level possible, whereas security level 100 should be used to achieve the highest security level
available.
You should not issue the established command to allow communication between different interfaces that share
the same security level. The established command is used to allow inbound traffic on any interface that hasalready established an outbound connection with the ASA. For example, you could issue the established tcp
4567 0 command to configure the ASA to allow an external host to initiate a connection through the ASA to an
internal host after the internal host has first established a Transmission Control Protocol (TCP) connection to
port 4567 on the external host. The established command is often used to support protocols such as streaming
media protocols that negotiate the ports for return traffic.Cisco: Configuring Interfaces: Allowing Same Security Level Communication