cisco asa5510 same security levels

Unanswered Question
Mar 14th, 2010

Setting  up asa5510 - i have six interfaces.  Had planned on putting them all at the same secuirty level and then using ACL;s to allow specific traffic.  However I haven;t been able to get any traffic through any ports even with permit ip any to any on both in boudn and outbound.  I do not have same security level statement in running config.

1.  is it possible to setup all interfaces at same secuirty level as I ahve them adn then use ACL;s to restrict traffic.

2.  if so Do i have to put aCL on both in and outboudn for every interface?

thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sun, 03/14/2010 - 21:17

Hi,

If you have the same security permit inter-interface command, then you can establish communication between interfaces with the same security level.

You have 101 possible security levels that you can use (0-100), why would you want to put all 6 interfaces in the same security level?

If you chose to have the 6 interfaces with the same security level, you can do that, and restrict traffic based on ACLs.

An inbound ACL on each interface where you want to restrict traffic is enough.

Federico.

JSCHWENG_2 Mon, 03/15/2010 - 06:46

if I have interfaces at the same security level and turn on "same-secuirty-traffic permit inter-interface"

then create inbound ACL's for those interfaces - will the firewall check those ACL's or just pass all the traffic between the same security interfaces?

Federico Coto F... Mon, 03/15/2010 - 09:19

The ASA will always check the inbound ACL for the traffic originated via that interface between any kind of interfaces

(even if they have or do not have the same security level)

Federico.

vilaxmi Mon, 03/15/2010 - 22:44

Hello,

Firewall BYPASSES interface access-list check for traffic between two different interfaces with same-security whenever

same-secuirty-traffic permit inter-interface

is turned ON. You can verify the same by looking at hitcounts of interface ACLs (show access-list) after initiating traffic between two hosts on same-sec DIfferent interface.

Make sure you have Identity NAT from subnets to allow communication.

HTH

Vijaya

Anand Solgama Fri, 09/20/2013 - 19:14

Hi,

Vijaya I used PIX635 and use same security level and there is no command of same security I guess it will not work in that and no ways to do

Bye,

Actions

This Discussion