same-security-traffic command

Unanswered Question
Jun 19th, 2009

I'm using a FWSM with static nat. I have an outside interface connected to the internet. I have an inside interface with security level 100. I added a second interface with security level of 100.

With ACL I'm not able to allow traffic to pass from one inside interface to another. I enabled 'same-security-traffic' between same security level interfaces.

Is there no means to allow traffic via ACLs between these interfaces? If I ahve to use the same-security-traffic then to I need to use deny ACLS to restrict unwanted traffic?

I need to add a DMZ interface. I planned to assign a security for the DMZ somewhere between 0 and 100. Will I be able to use ACLs to allow some traffic from the inside interface to the DMZ? I hope so. If that is the case maybe I should give the inside interface a level of 100 and all other less then 100 to avoid the same-security-traffic command.

Any thoughts?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
cef2lion2 Fri, 06/19/2009 - 08:03

I did test and change the security levels of the inside interfaces. Seems like I do not now need to he 'same-security-traffic' command and can use ACLs to permit traffic. Am I on the right track?

Patrick0711 Tue, 06/23/2009 - 08:16

Traffic can pass from a higher security level to a lower security level segment without the need of explicit ACE to allow the traffic.

If the interfaces are set to the same security-level and you have the same-security inter-interface command enabled, you'll need to specify access-lists in both directions to pass traffic.

Stuart Hare Tue, 06/23/2009 - 12:35

With the firewall services module the high to low security behaviour we know from the pix/asa does not apply in the same way. You have to explicitly apply access groups to each interface to allow traffic flow. The High to Low security levels does not allow traffic to flow without them.

The same-security-traffic command has two keywords, permit intra-interface which basically allows traffic to flow in and back out of the same interface without the AS Algorithm dropping it. Typically used with VPNs etc.

The permit inter-interface allows the interfaces with the same security level to communicate with each other.

In your scenario where you have have same security levels on the FWSM you would need to apply both the ACLs and the same-security-traffic permit inter-interface command.

You would not need to apply deny acls for unwanted traffic as traffic would need to be allowed in your ACL's all other traffic would be denied by default and typically you may follow up with a deny any any log at the bottom of your list anyway.

HTH

Stu

Actions

This Discussion