03-14-2010 03:31 PM - edited 03-11-2019 10:21 AM
Setting up asa5510 - i have six interfaces. Had planned on putting them all at the same secuirty level and then using ACL;s to allow specific traffic. However I haven;t been able to get any traffic through any ports even with permit ip any to any on both in boudn and outbound. I do not have same security level statement in running config.
1. is it possible to setup all interfaces at same secuirty level as I ahve them adn then use ACL;s to restrict traffic.
2. if so Do i have to put aCL on both in and outboudn for every interface?
thank you
03-14-2010 09:17 PM
Hi,
If you have the same security permit inter-interface command, then you can establish communication between interfaces with the same security level.
You have 101 possible security levels that you can use (0-100), why would you want to put all 6 interfaces in the same security level?
If you chose to have the 6 interfaces with the same security level, you can do that, and restrict traffic based on ACLs.
An inbound ACL on each interface where you want to restrict traffic is enough.
Federico.
03-15-2010 06:46 AM
if I have interfaces at the same security level and turn on "same-secuirty-traffic permit inter-interface"
then create inbound ACL's for those interfaces - will the firewall check those ACL's or just pass all the traffic between the same security interfaces?
03-15-2010 09:19 AM
The ASA will always check the inbound ACL for the traffic originated via that interface between any kind of interfaces
(even if they have or do not have the same security level)
Federico.
03-15-2010 10:44 PM
Hello,
Firewall BYPASSES interface access-list check for traffic between two different interfaces with same-security whenever
same-secuirty-traffic permit inter-interface
is turned ON. You can verify the same by looking at hitcounts of interface ACLs (show access-list) after initiating traffic between two hosts on same-sec DIfferent interface.
Make sure you have Identity NAT from subnets to allow communication.
HTH
Vijaya
03-16-2010 06:33 AM
Sorry for the wrong information.
Vijaya is 100% correct.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1061479
Federico.
09-20-2013 07:14 PM
Hi,
Vijaya I used PIX635 and use same security level and there is no command of same security I guess it will not work in that and no ways to do
Bye,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide