What is the effect of the samesecuritytraffic permit intrainterface command on a Cisco ASA? (Select the best
answer.)

A.
It allows communication between different interfaces that share the same security level.

B.
It allows traffic to exit the same interface through which it entered.

C.
It allows outbound traffic and the corresponding return traffic to pass through different ASAs.

D.
It allows traffic destined to unprotected subnets to bypass a VPN tunnel.

Explanation:
On a Cisco Adaptive Security Appliance (ASA), the samesecuritytraffic permit intrainterface command allows
traffic to exit the same interface through which it entered, which is also known as hairpinning. By default, an
ASA does not allow packets to enter and exit through the same physical interface. However, because multiple
logical virtual LANs (VLANs) can be assigned to the same physical interface, it is sometimes necessary to allow
a packet to enter and exit through the same interface. The samesecuritytraffic permit intrainterface command
allows packets to be sent and received from the same interface even if the traffic is protected by IP Security
(IPSec) security policies. Another scenario for which you would need to use the samesecuritytraffic permit
intrainterface command is if multiple users need to connect via virtual private network (VPN) through the same
physical interface. These users will not be able communicate with one another unless the samesecuritytraffic
permit intrainterface command has been issued from global configuration mode.
The samesecuritytraffic permit interinterface command, not the samesecuritytraffic permit intrainterface
command, allows communication between different interfaces that share the same security level. By default,
interfaces with the same security level are not allowed to communicate with each other.
A split tunneling policy, not the samesecuritytraffic permit intrainterfacecommand, allows traffic destined to
unprotected subnets to bypass an encrypted tunnel. With split tunneling, only traffic destined to protected
subnets is routed through the appropriate VPN tunnel. Traffic destined to unprotected subnets, such as the
Internet, can bypass the tunnel and be routed normally. You can issue the splittunnelpolicy and
splittunnelnetworklist commands to configure a split tunneling policy.
Transmission Control Protocol (TCP) bypass, not the samesecuritytraffic permit intrainterface command, allows
outbound traffic and the corresponding return traffic to pass through different ASAs. With TCP state bypass, an
ASA will allow a specific class of traffic to pass through the ASA without the traffic class having an entry in the
ASA’s state table. TCP state bypass is disabled by default. You can issue the set connection advancedoptions
tcpstatebypass command to enable the TCP state bypass feature.

Cisco: Configuring Interfaces: Allowing Same Security Level Communication Category:
VPN