cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2626
Views
0
Helpful
2
Replies

Cisco ASA Security Levels

cashkhann
Level 1
Level 1

Hi All

I have just started working on Cisco ASAs and working on following scenario:

3 Depts having 3 separate Networks given following names

Finance

Accounts

HR

Communication Between them should be restricted and allowed on specfic host and services. My approach is that I have assigned security level of "0"

to each of them and also enabled "same-security-traffic permit inter-interface", so that they can communicate with each other. Now what I have observed is that as soon as I enable same-security-traffic permit inter-interface traffic starts flowing among them without the need for any access-list. But as soon as I create an access list for some specific host , traffic stops flowing for all other hosts except for the one which was granted access in access-list.

Is my approach right? Please do advise, and also Is this a default behaviour of ASA to implicitly deny traffic for all host as soon as I place a acl after enabling same-security-traffic permit inter-interface.

Thanks and Regards

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

If all of the networks zone have the same security level for your company then you can use the same one on them.

Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.

Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.

Regards,

Rate all the helpful pots

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

If all of the networks zone have the same security level for your company then you can use the same one on them.

Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.

Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.

Regards,

Rate all the helpful pots

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cashkhann
Level 1
Level 1

Thanks Julio

Somehow I am not conforatbale with higher/lower security levels concept, for me everthing network on my firewall is critical and I want to have granular control on each and every host in corporate network.

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: