Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
107536
Views
17
Helpful
6
Replies

ASA Firewall interface security levels and access-lists

Go to solution
geraghtyconor
Level 1
Level 1

‎06-28-2012 08:38 AM - edited ‎03-11-2019 04:24 PM

Hello,

I am trying to understand the correlation between ACLs and interface security levels on an ASA.

I am working with an ASA using both!!??

Is this possible?

Assumptions: Any ACL applied below is on the transmit wire (interface) only in the inbound direction.

Scenario 1

high security interface level to low interface security level.

No ACL = passes as I expect

What happens if there is an ACL denying a test packet in the above scenario?

Scenario 2

Low security to high

No ACL = Traffic will not pass as I expect

What happens if there is an ACL permitting the above test packet.

I have trawled through documentation on the web-site and cannot find examples including both (ACL usage in conjunction with security-levels).

Thank you in advance for any help offered.

1 person had this problem
Labels:
3 Accepted Solutions

Accepted Solutions

Go to solution
deyster94
Level 5
Level 5

‎06-28-2012 09:04 AM

Security levels on interfaces on the ASA are to define how much you trust traffic from that interface.  Level 100 is the most trusted and 0 is the least trusted.  Some people will use 50 for a DMZ since you trust it more then internet traffic, but less then internal traffic. 

This is how I look at security levels:

A security level of 1 to 99 always two implicit ACL's.  One to allow traffic to lower security interfaces and one to deny traffic to higher level security interfaces.  Security level 100 has an implicit permit ip any any and level 0 has an implicit deny ip any any.

In scenario 1, if you apply a deny ACL to a security level of 1-99, it will remove that implicit permit ip any any and deny traffic according to the ACL and all traffic.  You would have to create an ACL to allow whatever other traffic you want.  If this ACL is applied to a security level of 100, it will essentially deny all traffic since it will remove the implicit permit ip any any ACL.  Again, you will have to create another ACL to allow traffic.

In scenario 2, if you apply a permit ACL to a security level 0 interface, it will allow that traffic, but still deny all other traffic.  However, if the security level is 1-100, it will all traffic to that destination and remove the implicit ACLs (permit and deny)

View solution in original post

Go to solution
gouravbathla
Level 1
Level 1
In response to deyster94

‎06-28-2012 09:40 PM

From High to Low > By default permitted

From Low to High> You need ACL in inbound direction on interface on which traffic lands.

Till 8.2

1) If nat-control is enable you need natting along with ACL

2) If nat-control is disabled you just need ACL.

After 8.2

You do not need nating.You just need ACL for allowing communication between different zones.

View solution in original post

Go to solution
Christopher Bell
Level 4
Level 4
In response to geraghtyconor

‎06-29-2012 11:40 AM

If you have the security levels in place, the ASA maintains a stateful connection and allows return traffic without additional configuration in most cases.  The only other though you might have to worry about is protocls that may source from a different port - FTP for instance.  In this case, it would be handeled with inspection.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

View solution in original post

6 Replies 6

Go to solution
deyster94
Level 5
Level 5

‎06-28-2012 09:04 AM

Security levels on interfaces on the ASA are to define how much you trust traffic from that interface.  Level 100 is the most trusted and 0 is the least trusted.  Some people will use 50 for a DMZ since you trust it more then internet traffic, but less then internal traffic. 

This is how I look at security levels:

A security level of 1 to 99 always two implicit ACL's.  One to allow traffic to lower security interfaces and one to deny traffic to higher level security interfaces.  Security level 100 has an implicit permit ip any any and level 0 has an implicit deny ip any any.

In scenario 1, if you apply a deny ACL to a security level of 1-99, it will remove that implicit permit ip any any and deny traffic according to the ACL and all traffic.  You would have to create an ACL to allow whatever other traffic you want.  If this ACL is applied to a security level of 100, it will essentially deny all traffic since it will remove the implicit permit ip any any ACL.  Again, you will have to create another ACL to allow traffic.

In scenario 2, if you apply a permit ACL to a security level 0 interface, it will allow that traffic, but still deny all other traffic.  However, if the security level is 1-100, it will all traffic to that destination and remove the implicit ACLs (permit and deny)

Go to solution
gouravbathla
Level 1
Level 1
In response to deyster94

‎06-28-2012 09:40 PM

From High to Low > By default permitted

From Low to High> You need ACL in inbound direction on interface on which traffic lands.

Till 8.2

1) If nat-control is enable you need natting along with ACL

2) If nat-control is disabled you just need ACL.

After 8.2

You do not need nating.You just need ACL for allowing communication between different zones.

Go to solution
geraghtyconor
Level 1
Level 1
In response to gouravbathla

‎06-29-2012 01:00 AM

Thank you.

Therefore, hence; Security level is priority??

A: Unless security 0 (x) = nothing passes unless inbound ACL on interface X says so (permits it)

!

B: Security level 2 (X) towards security level 1 (Y). If interface X has a 'deny IP any any' inbound ACL = traffic will still flow??

!

What about established tcp flows? Is return 'established' traffic affected by ACLs and security levels?

0 Helpful

Go to solution
Christopher Bell
Level 4
Level 4
In response to geraghtyconor

‎06-29-2012 11:40 AM

If you have the security levels in place, the ASA maintains a stateful connection and allows return traffic without additional configuration in most cases.  The only other though you might have to worry about is protocls that may source from a different port - FTP for instance.  In this case, it would be handeled with inspection.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Go to solution
harshalp
Level 1
Level 1
In response to Christopher Bell

‎06-08-2015 01:46 AM

Thanks for explanation Christopher 

But still I would like to know how to decide security level between 0 to 100 of any interface.
 

 

0 Helpful

Go to solution
Christopher Bell
Level 4
Level 4
In response to harshalp

‎06-15-2015 05:59 AM

Well some of it you are going to just have to decide on.  In general, the outside interface has a security level of "0", the DMZ interface has a security level of "50" and the inside interface has a security level of "100".  The logic here is that interfaces with lower security levels cannot access nodes behind a higher level interface with an ACL permitting it. 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card