Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1779
Views
0
Helpful
6
Replies

cisco asa5510 same security levels

jschweng
Level 1
Level 1

‎03-14-2010 03:31 PM - edited ‎03-11-2019 10:21 AM

Setting  up asa5510 - i have six interfaces.  Had planned on putting them all at the same secuirty level and then using ACL;s to allow specific traffic.  However I haven;t been able to get any traffic through any ports even with permit ip any to any on both in boudn and outbound.  I do not have same security level statement in running config.

1.  is it possible to setup all interfaces at same secuirty level as I ahve them adn then use ACL;s to restrict traffic.

2.  if so Do i have to put aCL on both in and outboudn for every interface?

thank you

Labels:
0 Helpful
6 Replies 6

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-14-2010 09:17 PM

Hi,

If you have the same security permit inter-interface command, then you can establish communication between interfaces with the same security level.

You have 101 possible security levels that you can use (0-100), why would you want to put all 6 interfaces in the same security level?

If you chose to have the 6 interfaces with the same security level, you can do that, and restrict traffic based on ACLs.

An inbound ACL on each interface where you want to restrict traffic is enough.

Federico.

0 Helpful

jschweng
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-15-2010 06:46 AM

if I have interfaces at the same security level and turn on "same-secuirty-traffic permit inter-interface"

then create inbound ACL's for those interfaces - will the firewall check those ACL's or just pass all the traffic between the same security interfaces?

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to jschweng

‎03-15-2010 09:19 AM

The ASA will always check the inbound ACL for the traffic originated via that interface between any kind of interfaces

(even if they have or do not have the same security level)

Federico.

0 Helpful

vilaxmi
Cisco Employee
Cisco Employee
In response to jschweng

‎03-15-2010 10:44 PM

Hello,

Firewall BYPASSES interface access-list check for traffic between two different interfaces with same-security whenever

same-secuirty-traffic permit inter-interface

is turned ON. You can verify the same by looking at hitcounts of interface ACLs (show access-list) after initiating traffic between two hosts on same-sec DIfferent interface.

Make sure you have Identity NAT from subnets to allow communication.

HTH

Vijaya

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to vilaxmi

‎03-16-2010 06:33 AM

Sorry for the wrong information.

Vijaya is 100% correct.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1061479

Federico.

0 Helpful

Anand Solgama
Level 1
Level 1
In response to vilaxmi

‎09-20-2013 07:14 PM

Hi,

Vijaya I used PIX635 and use same security level and there is no command of same security I guess it will not work in that and no ways to do

Bye,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card