I have just started working on Cisco ASAs and working on following scenario:
3 Depts having 3 separate Networks given following names
Communication Between them should be restricted and allowed on specfic host and services. My approach is that I have assigned security level of "0"
to each of them and also enabled "same-security-traffic permit inter-interface", so that they can communicate with each other. Now what I have observed is that as soon as I enable same-security-traffic permit inter-interface traffic starts flowing among them without the need for any access-list. But as soon as I create an access list for some specific host , traffic stops flowing for all other hosts except for the one which was granted access in access-list.
Is my approach right? Please do advise, and also Is this a default behaviour of ASA to implicitly deny traffic for all host as soon as I place a acl after enabling same-security-traffic permit inter-interface.
Thanks and Regards
If all of the networks zone have the same security level for your company then you can use the same one on them.
Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.
Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.
Rate all the helpful pots