Solved: Hi JouniI am having problem

LionKin1984 · ‎09-11-2013

Hi all

quick question: -

what is the point having cisco ASA interfaces on diffierent security levels when you have an explicit deny ACL?

I have configured my ASA with all interfaces (inside, outside and DMZ) on same security level (100) and some ACLs to enable traffic and I always have an explicit deny (deny any any) at the end, would this be an issue?

Thanks

Jouni Forss · ‎09-12-2013

Hi,

Yes, when you have an interface ACL configured then the "security-level" of the source and destination interface wont matter anymore. I would suggest always using interface ACLs on all interfaces. This keeps the firewall clearer than constantly looking at "security-level" values.

Furthermore you can't really implement any proper access rules with the "security-level" alone as it either blocks all or allows all. So eventually you will run into a situation where you probably have to configure an ACL so its best to start using it from the beginning.

I am not sure where the "security-level" stems from. I guess its been there from the start. I started with the 6.3 software level PIX firewalls and I imagine it was there long before that or maybe even from the start.

I would imagine that "security-level" values are usefull when you have a very very simple network where you for example have WAN (value = 0) , DMZ (value = 50) and LAN (value = 100). In this setup essentially LAN can access both WAN and DMZ. DMZ can only access WAN. WAN cant access either LAN or DMZ.

Though in the above setup naturally you would probably need an ACL on the WAN interface anyway if your hosting some servers there. But the point is, "security-level" is usefull only in simple setups and/or very static environments.

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎09-11-2013

Hi,

The "security-level" value for the most part looses its effectiveness when you configure ACLs on each interface. I would suggest that you use interface ACL on each interface to control the traffic rather than the "security-level". I gather that you are already doing this?

Now with regards to the "deny ip any any" at the end of each interface ACL,

You dont necesarily need this as there is a Implicit Deny for all traffic at the end of the ACL. That is for all traffic that has not been allowed by the ACL before reaching the end of the ACL.

Adding this "deny ip any any" statement does have it uses though. If you add it at the end of each interface ACL you will see how much traffic that is not allowed is hitting the ACL. If you didnt have this "deny ip any any" statement you would not have any knowledge directly in the ACL of how many connections have been blocked by the Implicit Deny statement at the end since it doesnt show in the configuration (but your added "deny ip any any" would naturally show)

Also, if you happen to be using software level 8.2 (or below) the "security-level" values might affect some NAT configurations a bit. And those cases are pretty rare. On software levels 8.3 (and above) it wouldnt really matter.

The "security-level" also affect the output of "show conn" command. Mainly in which order the source and destination IP addresses of the connection are shown (based on the "security-level" of the source and destination interface)

Also log messages generated when a connection is formed through the firewall might contain "Inbound" or "Outbound" based on the "security-level" value of the source and destination interface. (From lower to higher = Inbound, from higher to lower = Outbound)

Hope I made sense

- Jouni

LionKin1984 · ‎09-12-2013

Hi Jouni

so once ACLs are in place, then security levels can be safely ignored? it just makes me wonder what is the point having this security level on Cisco asa anyway?

cheers

Jouni Forss · ‎09-12-2013

Hi,

Yes, when you have an interface ACL configured then the "security-level" of the source and destination interface wont matter anymore. I would suggest always using interface ACLs on all interfaces. This keeps the firewall clearer than constantly looking at "security-level" values.

Furthermore you can't really implement any proper access rules with the "security-level" alone as it either blocks all or allows all. So eventually you will run into a situation where you probably have to configure an ACL so its best to start using it from the beginning.

I am not sure where the "security-level" stems from. I guess its been there from the start. I started with the 6.3 software level PIX firewalls and I imagine it was there long before that or maybe even from the start.

I would imagine that "security-level" values are usefull when you have a very very simple network where you for example have WAN (value = 0) , DMZ (value = 50) and LAN (value = 100). In this setup essentially LAN can access both WAN and DMZ. DMZ can only access WAN. WAN cant access either LAN or DMZ.

Though in the above setup naturally you would probably need an ACL on the WAN interface anyway if your hosting some servers there. But the point is, "security-level" is usefull only in simple setups and/or very static environments.

Hope this helps

- Jouni

LionKin1984 · ‎09-12-2013

Thanks again Jouni, we ll stick to ACL then, cheers

LionKin1984 · ‎03-13-2014

Hi Jouni

I am having problem with Windows NT domain authentication at the minute, wondering if you can help please.

what it is is we have a small Windows NT domain (one Domain controller and 2 domain PCs, all of them are NT systems).

I put a cisco ASA 5512-x between domain controller and domain PCs and now neither domain PCs can log on to the domain any more.

I have created a ACL to allow traffic from domain controller to domain PCs with Netbios, DNS, ip services inspected.

I can ping successfully from Domain controller to domain PCs and vice versa, but can not logon to the domain

I know this is a different issue, but I am still trying to figure out how to use this new forum...

Cisco ASA security level and explicit deny ACL