Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA Firewall interface security levels and access-lists

Hello,

I am trying to understand the correlation between ACLs and interface security levels on an ASA.

I am working with an ASA using both!!??

Is this possible?

Assumptions: Any ACL applied below is on the transmit wire (interface) only in the inbound direction.

Scenario 1

high security interface level to low interface security level.

No ACL = passes as I expect

What happens if there is an ACL denying a test packet in the above scenario?

Scenario 2

Low security to high

No ACL = Traffic will not pass as I expect

What happens if there is an ACL permitting the above test packet.

I have trawled through documentation on the web-site and cannot find examples including both (ACL usage in conjunction with security-levels).

Thank you in advance for any help offered.

Everyone's tags (1)
3 ACCEPTED SOLUTIONS

Accepted Solutions
Community Member

ASA Firewall interface security levels and access-lists

Security levels on interfaces on the ASA are to define how much you trust traffic from that interface.  Level 100 is the most trusted and 0 is the least trusted.  Some people will use 50 for a DMZ since you trust it more then internet traffic, but less then internal traffic. 

This is how I look at security levels:

A security level of 1 to 99 always two implicit ACL's.  One to allow traffic to lower security interfaces and one to deny traffic to higher level security interfaces.  Security level 100 has an implicit permit ip any any and level 0 has an implicit deny ip any any.

In scenario 1, if you apply a deny ACL to a security level of 1-99, it will remove that implicit permit ip any any and deny traffic according to the ACL and all traffic.  You would have to create an ACL to allow whatever other traffic you want.  If this ACL is applied to a security level of 100, it will essentially deny all traffic since it will remove the implicit permit ip any any ACL.  Again, you will have to create another ACL to allow traffic.

In scenario 2, if you apply a permit ACL to a security level 0 interface, it will allow that traffic, but still deny all other traffic.  However, if the security level is 1-100, it will all traffic to that destination and remove the implicit ACLs (permit and deny)

Community Member

ASA Firewall interface security levels and access-lists

From High to Low > By default permitted

From Low to High> You need ACL in inbound direction on interface on which traffic lands.

Till 8.2

1) If nat-control is enable you need natting along with ACL

2) If nat-control is disabled you just need ACL.

After 8.2

You do not need nating.You just need ACL for allowing communication between different zones.

ASA Firewall interface security levels and access-lists

If you have the security levels in place, the ASA maintains a stateful connection and allows return traffic without additional configuration in most cases.  The only other though you might have to worry about is protocls that may source from a different port - FTP for instance.  In this case, it would be handeled with inspection.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
6 REPLIES
Community Member

ASA Firewall interface security levels and access-lists

Security levels on interfaces on the ASA are to define how much you trust traffic from that interface.  Level 100 is the most trusted and 0 is the least trusted.  Some people will use 50 for a DMZ since you trust it more then internet traffic, but less then internal traffic. 

This is how I look at security levels:

A security level of 1 to 99 always two implicit ACL's.  One to allow traffic to lower security interfaces and one to deny traffic to higher level security interfaces.  Security level 100 has an implicit permit ip any any and level 0 has an implicit deny ip any any.

In scenario 1, if you apply a deny ACL to a security level of 1-99, it will remove that implicit permit ip any any and deny traffic according to the ACL and all traffic.  You would have to create an ACL to allow whatever other traffic you want.  If this ACL is applied to a security level of 100, it will essentially deny all traffic since it will remove the implicit permit ip any any ACL.  Again, you will have to create another ACL to allow traffic.

In scenario 2, if you apply a permit ACL to a security level 0 interface, it will allow that traffic, but still deny all other traffic.  However, if the security level is 1-100, it will all traffic to that destination and remove the implicit ACLs (permit and deny)

Community Member

ASA Firewall interface security levels and access-lists

From High to Low > By default permitted

From Low to High> You need ACL in inbound direction on interface on which traffic lands.

Till 8.2

1) If nat-control is enable you need natting along with ACL

2) If nat-control is disabled you just need ACL.

After 8.2

You do not need nating.You just need ACL for allowing communication between different zones.

Community Member

ASA Firewall interface security levels and access-lists

Thank you.

Therefore, hence; Security level is priority??

A: Unless security 0 (x) = nothing passes unless inbound ACL on interface X says so (permits it)

!

B: Security level 2 (X) towards security level 1 (Y). If interface X has a 'deny IP any any' inbound ACL = traffic will still flow??

!

What about established tcp flows? Is return 'established' traffic affected by ACLs and security levels?

ASA Firewall interface security levels and access-lists

If you have the security levels in place, the ASA maintains a stateful connection and allows return traffic without additional configuration in most cases.  The only other though you might have to worry about is protocls that may source from a different port - FTP for instance.  In this case, it would be handeled with inspection.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Community Member

Thanks for explanation

Thanks for explanation Christopher 

But still I would like to know how to decide security level between 0 to 100 of any interface.
 

 

Well some of it you are going

Well some of it you are going to just have to decide on.  In general, the outside interface has a security level of "0", the DMZ interface has a security level of "50" and the inside interface has a security level of "100".  The logic here is that interfaces with lower security levels cannot access nodes behind a higher level interface with an ACL permitting it. 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
63767
Views
5
Helpful
6
Replies
CreatePlease to create content