Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
2
Replies

changing security-level

Go to solution
Benjamin Saito
Level 1
Level 1

‎08-29-2013 07:37 AM - edited ‎03-11-2019 07:32 PM

Hello,

I need to change the security-level on an interface for a cisco asa 5520. I am not sure if this will cause downtime, can someone please inform me? I cannot seem to find anything on the internet about this. Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-29-2013 07:51 AM

Hi,

If you have interface ACLs configured on all interfaces already then changing the "security-level" will not change anything.

If you however have some interfaces that dont use ACLs and you are for example changing some other interfaces "security-level" to a higher value than the interface which doesnt have an interface ACL, then you might start blocking all traffic from behind the interface with no ACL to the network behind the interface thats "security-level" got changed.

There is also one NAT related issue that might arise from changing "security-level" value but it only applies to software level 8.2 and below. It also is a NAT configuration that is very rare (atleast I have not run into it that many times)

This NAT related situation specifically comes when you are doing Dynamic NAT/PAT and the source addresses/networks are behind an interface which "security-level" is lower than the destination interfaces.

A simple example could be

interface GigabitEthernet0/0

nameif outside

security-level 0

ip add 1.1.1.2 255.255.255.248

interface GigabitEthernet0/1

nameif 3rdparty

security-level 2

ip add 2.2.2.2 255.255.255.248

If you wanted to configure Dynamic PAT between these interfaces then the "nat" command would require an extra parameter at the end. Specifically "outside" (this doesnt refer to any interface name)

global (3rdparty) 1 interface

nat (outside) 1 10.10.10.0 255.255.255.0 outside

The above configuration is meant to illustrate a situation for example where you want some VPN Client or L2L VPN remote network to be able to access some 3rd party site and the "security-level" values of the interfaces are the other way around than typically from going from secure to unsecure.

There might also be some minor cosmetic changes in the command output and syslogs. For example the "security-level" defines in what order the "show conn" output is shown for the source and destination IP address. Also the connection forming logs are mentioned as either "inbound" or "outbound" based on the "security-level" value. (Outbound from higher to lower and Inbound from lower to higher)

But as I said, these are just cosmetic changes.

There might be some other things but I cant think of anything else than the ones above.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-29-2013 07:51 AM

Hi,

If you have interface ACLs configured on all interfaces already then changing the "security-level" will not change anything.

If you however have some interfaces that dont use ACLs and you are for example changing some other interfaces "security-level" to a higher value than the interface which doesnt have an interface ACL, then you might start blocking all traffic from behind the interface with no ACL to the network behind the interface thats "security-level" got changed.

There is also one NAT related issue that might arise from changing "security-level" value but it only applies to software level 8.2 and below. It also is a NAT configuration that is very rare (atleast I have not run into it that many times)

This NAT related situation specifically comes when you are doing Dynamic NAT/PAT and the source addresses/networks are behind an interface which "security-level" is lower than the destination interfaces.

A simple example could be

interface GigabitEthernet0/0

nameif outside

security-level 0

ip add 1.1.1.2 255.255.255.248

interface GigabitEthernet0/1

nameif 3rdparty

security-level 2

ip add 2.2.2.2 255.255.255.248

If you wanted to configure Dynamic PAT between these interfaces then the "nat" command would require an extra parameter at the end. Specifically "outside" (this doesnt refer to any interface name)

global (3rdparty) 1 interface

nat (outside) 1 10.10.10.0 255.255.255.0 outside

The above configuration is meant to illustrate a situation for example where you want some VPN Client or L2L VPN remote network to be able to access some 3rd party site and the "security-level" values of the interfaces are the other way around than typically from going from secure to unsecure.

There might also be some minor cosmetic changes in the command output and syslogs. For example the "security-level" defines in what order the "show conn" output is shown for the source and destination IP address. Also the connection forming logs are mentioned as either "inbound" or "outbound" based on the "security-level" value. (Outbound from higher to lower and Inbound from lower to higher)

But as I said, these are just cosmetic changes.

There might be some other things but I cant think of anything else than the ones above.

- Jouni

0 Helpful

Go to solution
Benjamin Saito
Level 1
Level 1
In response to Jouni Forss

‎08-29-2013 07:56 AM

Thanks for the information Jouni. This is a new interface that doesn't have any rules on it at the moment and I don't believe any other interfaces need access to this interface at the moment. And this ASA is using code version 8.3(2) so it sounds like I should be good. Thanks again!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card