cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
470
Views
4
Helpful
3
Replies

same-security-traffic command

cef2lion2
Level 1
Level 1

I'm using a FWSM with static nat. I have an outside interface connected to the internet. I have an inside interface with security level 100. I added a second interface with security level of 100.

With ACL I'm not able to allow traffic to pass from one inside interface to another. I enabled 'same-security-traffic' between same security level interfaces.

Is there no means to allow traffic via ACLs between these interfaces? If I ahve to use the same-security-traffic then to I need to use deny ACLS to restrict unwanted traffic?

I need to add a DMZ interface. I planned to assign a security for the DMZ somewhere between 0 and 100. Will I be able to use ACLs to allow some traffic from the inside interface to the DMZ? I hope so. If that is the case maybe I should give the inside interface a level of 100 and all other less then 100 to avoid the same-security-traffic command.

Any thoughts?

3 Replies 3

cef2lion2
Level 1
Level 1

I did test and change the security levels of the inside interfaces. Seems like I do not now need to he 'same-security-traffic' command and can use ACLs to permit traffic. Am I on the right track?

Patrick0711
Level 3
Level 3

Traffic can pass from a higher security level to a lower security level segment without the need of explicit ACE to allow the traffic.

If the interfaces are set to the same security-level and you have the same-security inter-interface command enabled, you'll need to specify access-lists in both directions to pass traffic.

Stuart Hare
Level 1
Level 1

With the firewall services module the high to low security behaviour we know from the pix/asa does not apply in the same way. You have to explicitly apply access groups to each interface to allow traffic flow. The High to Low security levels does not allow traffic to flow without them.

The same-security-traffic command has two keywords, permit intra-interface which basically allows traffic to flow in and back out of the same interface without the AS Algorithm dropping it. Typically used with VPNs etc.

The permit inter-interface allows the interfaces with the same security level to communicate with each other.

In your scenario where you have have same security levels on the FWSM you would need to apply both the ACLs and the same-security-traffic permit inter-interface command.

You would not need to apply deny acls for unwanted traffic as traffic would need to be allowed in your ACL's all other traffic would be denied by default and typically you may follow up with a deny any any log at the bottom of your list anyway.

HTH

Stu

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: