Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ASA Security Levels

Hi All

I have just started working on Cisco ASAs and working on following scenario:

3 Depts having 3 separate Networks given following names

Finance

Accounts

HR

Communication Between them should be restricted and allowed on specfic host and services. My approach is that I have assigned security level of "0"

to each of them and also enabled "same-security-traffic permit inter-interface", so that they can communicate with each other. Now what I have observed is that as soon as I enable same-security-traffic permit inter-interface traffic starts flowing among them without the need for any access-list. But as soon as I create an access list for some specific host , traffic stops flowing for all other hosts except for the one which was granted access in access-list.

Is my approach right? Please do advise, and also Is this a default behaviour of ASA to implicitly deny traffic for all host as soon as I place a acl after enabling same-security-traffic permit inter-interface.

Thanks and Regards

1 ACCEPTED SOLUTION

Accepted Solutions

Cisco ASA Security Levels

Hello,

If all of the networks zone have the same security level for your company then you can use the same one on them.

Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.

Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.

Regards,

Rate all the helpful pots

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
2 REPLIES

Cisco ASA Security Levels

Hello,

If all of the networks zone have the same security level for your company then you can use the same one on them.

Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.

Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.

Regards,

Rate all the helpful pots

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Cisco ASA Security Levels

Thanks Julio

Somehow I am not conforatbale with higher/lower security levels concept, for me everthing network on my firewall is critical and I want to have granular control on each and every host in corporate network.

Regards

2275
Views
0
Helpful
2
Replies
CreatePlease to create content