same security level on interfaces

Unanswered Question
Aug 14th, 2007

Havent used ASA before. Used PIX version 7 so i'm still not sure yet how different it is.

We are running 7.2 on 5500s and they have set up each interface as security level 100 and configured same-security-traffic permit inter and intra-interface

I am wondering why as the networks surrounding the interfaces are clearly defined and can be easily configured with different security levels. No one seems to know why it was setup that way.

My question is what advantages are there in configuring same security levels? Once you apply a rule to an interface do the security levels still apply? Is this best/bad practise?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 08/14/2007 - 17:43

Hi Mark

It all depends on your set of requirements really. For example i have just answered a question in another forum about whether or not a pix can act as a router between two internal subnets. In that example the easiest thing to do would be to use the same security level on each interface and allow traffic to flow freely between the two networks. No need for NAT and no need for access-lists which removes a lot of the work.

The permit intra-interface is a useful command if you want to implement hairpinning ie. traffic received on an interface can be sent back out the same interface to it's destination. This is useful in a hub and spoke architecture where the spokes communicate via the hub. Prior to v7.x you couldn't do this.

It could be that the person who set up your firewall just didn't like NAT and wanted to avoid having to setup all the NAT rules between different levels.

Personally if i want to restrict traffic between subnets i would use NAT and access-lists as it is kind of a double check. Allowing access through a firewall should not be a trivial thing to do and having to both ensures you really wanted to allow that access.

Hope some of this helped

Jon

Actions

This Discussion