Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Cisco ASA security level and explicit deny ACL

Hi all

quick question: -

what is the point having cisco ASA interfaces on diffierent security levels when you have an explicit deny ACL?

I have configured my ASA with all interfaces (inside, outside and DMZ) on same security level (100) and some ACLs to enable traffic and I always have an explicit deny (deny any any) at the end, would this be an issue?    

Thanks             

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Cisco ASA security level and explicit deny ACL

Hi,

Yes, when you have an interface ACL configured then the "security-level" of the source and destination interface wont matter anymore. I would suggest always using interface ACLs on all interfaces. This keeps the firewall clearer than constantly looking at "security-level" values.

Furthermore you can't really implement any proper access rules with the "security-level" alone as it either blocks all or allows all. So eventually you will run into a situation where you probably have to configure an ACL so its best to start using it from the beginning.

I am not sure where the "security-level" stems from. I guess its been there from the start. I started with the 6.3 software level PIX firewalls and I imagine it was there long before that or maybe even from the start.

I would imagine that "security-level" values are usefull when you have a very very simple network where you for example have WAN (value = 0) , DMZ (value = 50) and LAN (value = 100). In this setup essentially LAN can access both WAN and DMZ. DMZ can only access WAN. WAN cant access either LAN or DMZ.

Though in the above setup naturally you would probably need an ACL on the WAN interface anyway if your hosting some servers there. But the point is, "security-level" is usefull only in simple setups and/or very static environments.

Hope this helps

- Jouni

5 REPLIES
Super Bronze

Cisco ASA security level and explicit deny ACL

Hi,

The "security-level" value for the most part looses its effectiveness when you configure ACLs on each interface. I would suggest that you use interface ACL on each interface to control the traffic rather than the "security-level". I gather that you are already doing this?

Now with regards to the "deny ip any any" at the end of each interface ACL,

You dont necesarily need this as there is a Implicit Deny for all traffic at the end of the ACL. That is for all traffic that has not been allowed by the ACL before reaching the end of the ACL.

Adding this "deny ip any any" statement does have it uses though. If you add it at the end of each interface ACL you will see how much traffic that is not allowed is hitting the ACL. If you didnt have this "deny ip any any" statement you would not have any knowledge directly in the ACL of how many connections have been blocked by the Implicit Deny statement at the end since it doesnt show in the configuration (but your added "deny ip any any" would naturally show)

Also, if you happen to be using software level 8.2 (or below) the "security-level" values might affect some NAT configurations a bit. And those cases are pretty rare. On software levels 8.3 (and above) it wouldnt really matter.

The "security-level" also affect the output of "show conn" command. Mainly in which order the source and destination IP addresses of the connection are shown (based on the "security-level" of the source and destination interface)

Also log messages generated when a connection is formed through the firewall might contain "Inbound" or "Outbound" based on the "security-level" value of the source and destination interface. (From lower to higher = Inbound, from higher to lower = Outbound)

Hope I made sense

- Jouni

New Member

Cisco ASA security level and explicit deny ACL

Hi Jouni

so once ACLs are in place, then security levels can be safely ignored? it just makes me wonder what is the point having this security level on Cisco asa anyway?

cheers

Super Bronze

Re: Cisco ASA security level and explicit deny ACL

Hi,

Yes, when you have an interface ACL configured then the "security-level" of the source and destination interface wont matter anymore. I would suggest always using interface ACLs on all interfaces. This keeps the firewall clearer than constantly looking at "security-level" values.

Furthermore you can't really implement any proper access rules with the "security-level" alone as it either blocks all or allows all. So eventually you will run into a situation where you probably have to configure an ACL so its best to start using it from the beginning.

I am not sure where the "security-level" stems from. I guess its been there from the start. I started with the 6.3 software level PIX firewalls and I imagine it was there long before that or maybe even from the start.

I would imagine that "security-level" values are usefull when you have a very very simple network where you for example have WAN (value = 0) , DMZ (value = 50) and LAN (value = 100). In this setup essentially LAN can access both WAN and DMZ. DMZ can only access WAN. WAN cant access either LAN or DMZ.

Though in the above setup naturally you would probably need an ACL on the WAN interface anyway if your hosting some servers there. But the point is, "security-level" is usefull only in simple setups and/or very static environments.

Hope this helps

- Jouni

New Member

Cisco ASA security level and explicit deny ACL

Thanks again Jouni, we ll stick to ACL then, cheers

New Member

Hi JouniI am having problem

Hi Jouni

I am having problem with Windows NT domain authentication at the minute, wondering if you can help please.

what it is is we have a small Windows NT domain (one Domain controller and 2 domain PCs, all of them are NT systems).

I put a cisco ASA 5512-x between domain controller and domain PCs and now neither domain PCs can log on to the domain any more.

I have created a ACL to allow traffic from domain controller to domain PCs with Netbios, DNS, ip services inspected.

I can ping successfully from Domain controller to domain PCs and vice versa, but can not logon to the domain

 

I know this is a different issue, but I am still trying to figure out how to use this new forum...

1693
Views
0
Helpful
5
Replies
CreatePlease to create content