Cisco ASA Security Levels

Answered Question
Jun 1st, 2012

Hi All

I have just started working on Cisco ASAs and working on following scenario:

3 Depts having 3 separate Networks given following names

Finance

Accounts

HR

Communication Between them should be restricted and allowed on specfic host and services. My approach is that I have assigned security level of "0"

to each of them and also enabled "same-security-traffic permit inter-interface", so that they can communicate with each other. Now what I have observed is that as soon as I enable same-security-traffic permit inter-interface traffic starts flowing among them without the need for any access-list. But as soon as I create an access list for some specific host , traffic stops flowing for all other hosts except for the one which was granted access in access-list.

Is my approach right? Please do advise, and also Is this a default behaviour of ASA to implicitly deny traffic for all host as soon as I place a acl after enabling same-security-traffic permit inter-interface.

Thanks and Regards

I have this problem too.
0 votes
Correct Answer by Julio Carvaja about 1 year 10 months ago

Hello,

If all of the networks zone have the same security level for your company then you can use the same one on them.

Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.

Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.

Regards,

Rate all the helpful pots

Julio

Security Engineer

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Julio Carvaja Fri, 06/01/2012 - 09:51

Hello,

If all of the networks zone have the same security level for your company then you can use the same one on them.

Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.

Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.

Regards,

Rate all the helpful pots

Julio

Security Engineer

cashkhann Sat, 06/02/2012 - 02:36

Thanks Julio

Somehow I am not conforatbale with higher/lower security levels concept, for me everthing network on my firewall is critical and I want to have granular control on each and every host in corporate network.

Regards

Actions

Login or Register to take actions

This Discussion

Posted June 1, 2012 at 8:53 AM
Stats:
Replies:2 Avg. Rating:5
Views:1872 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446