same security level on interfaces

Unanswered Question
Aug 14th, 2007
User Badges:

Havent used ASA before. Used PIX version 7 so i'm still not sure yet how different it is.


We are running 7.2 on 5500s and they have set up each interface as security level 100 and configured same-security-traffic permit inter and intra-interface


I am wondering why as the networks surrounding the interfaces are clearly defined and can be easily configured with different security levels. No one seems to know why it was setup that way.


My question is what advantages are there in configuring same security levels? Once you apply a rule to an interface do the security levels still apply? Is this best/bad practise?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 08/14/2007 - 17:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Mark


It all depends on your set of requirements really. For example i have just answered a question in another forum about whether or not a pix can act as a router between two internal subnets. In that example the easiest thing to do would be to use the same security level on each interface and allow traffic to flow freely between the two networks. No need for NAT and no need for access-lists which removes a lot of the work.


The permit intra-interface is a useful command if you want to implement hairpinning ie. traffic received on an interface can be sent back out the same interface to it's destination. This is useful in a hub and spoke architecture where the spokes communicate via the hub. Prior to v7.x you couldn't do this.


It could be that the person who set up your firewall just didn't like NAT and wanted to avoid having to setup all the NAT rules between different levels.


Personally if i want to restrict traffic between subnets i would use NAT and access-lists as it is kind of a double check. Allowing access through a firewall should not be a trivial thing to do and having to both ensures you really wanted to allow that access.


Hope some of this helped


Jon


Actions

This Discussion