Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

cisco asa5510 same security levels

Setting  up asa5510 - i have six interfaces.  Had planned on putting them all at the same secuirty level and then using ACL;s to allow specific traffic.  However I haven;t been able to get any traffic through any ports even with permit ip any to any on both in boudn and outbound.  I do not have same security level statement in running config.

1.  is it possible to setup all interfaces at same secuirty level as I ahve them adn then use ACL;s to restrict traffic.

2.  if so Do i have to put aCL on both in and outboudn for every interface?

thank you

6 REPLIES

Re: cisco asa5510 same security levels

Hi,

If you have the same security permit inter-interface command, then you can establish communication between interfaces with the same security level.

You have 101 possible security levels that you can use (0-100), why would you want to put all 6 interfaces in the same security level?

If you chose to have the 6 interfaces with the same security level, you can do that, and restrict traffic based on ACLs.

An inbound ACL on each interface where you want to restrict traffic is enough.

Federico.

New Member

Re: cisco asa5510 same security levels

if I have interfaces at the same security level and turn on "same-secuirty-traffic permit inter-interface"

then create inbound ACL's for those interfaces - will the firewall check those ACL's or just pass all the traffic between the same security interfaces?

Re: cisco asa5510 same security levels

The ASA will always check the inbound ACL for the traffic originated via that interface between any kind of interfaces

(even if they have or do not have the same security level)

Federico.

Cisco Employee

Re: cisco asa5510 same security levels

Hello,

Firewall BYPASSES interface access-list check for traffic between two different interfaces with same-security whenever

same-secuirty-traffic permit inter-interface

is turned ON. You can verify the same by looking at hitcounts of interface ACLs (show access-list) after initiating traffic between two hosts on same-sec DIfferent interface.

Make sure you have Identity NAT from subnets to allow communication.

HTH

Vijaya

Re: cisco asa5510 same security levels

Sorry for the wrong information.

Vijaya is 100% correct.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1061479

Federico.

New Member

Re: cisco asa5510 same security levels

Hi,

Vijaya I used PIX635 and use same security level and there is no command of same security I guess it will not work in that and no ways to do

Bye,

1279
Views
0
Helpful
6
Replies