Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

same-security-traffic command

I'm using a FWSM with static nat. I have an outside interface connected to the internet. I have an inside interface with security level 100. I added a second interface with security level of 100.

With ACL I'm not able to allow traffic to pass from one inside interface to another. I enabled 'same-security-traffic' between same security level interfaces.

Is there no means to allow traffic via ACLs between these interfaces? If I ahve to use the same-security-traffic then to I need to use deny ACLS to restrict unwanted traffic?

I need to add a DMZ interface. I planned to assign a security for the DMZ somewhere between 0 and 100. Will I be able to use ACLs to allow some traffic from the inside interface to the DMZ? I hope so. If that is the case maybe I should give the inside interface a level of 100 and all other less then 100 to avoid the same-security-traffic command.

Any thoughts?

3 REPLIES
New Member

Re: same-security-traffic command

I did test and change the security levels of the inside interfaces. Seems like I do not now need to he 'same-security-traffic' command and can use ACLs to permit traffic. Am I on the right track?

Bronze

Re: same-security-traffic command

Traffic can pass from a higher security level to a lower security level segment without the need of explicit ACE to allow the traffic.

If the interfaces are set to the same security-level and you have the same-security inter-interface command enabled, you'll need to specify access-lists in both directions to pass traffic.

New Member

Re: same-security-traffic command

With the firewall services module the high to low security behaviour we know from the pix/asa does not apply in the same way. You have to explicitly apply access groups to each interface to allow traffic flow. The High to Low security levels does not allow traffic to flow without them.

The same-security-traffic command has two keywords, permit intra-interface which basically allows traffic to flow in and back out of the same interface without the AS Algorithm dropping it. Typically used with VPNs etc.

The permit inter-interface allows the interfaces with the same security level to communicate with each other.

In your scenario where you have have same security levels on the FWSM you would need to apply both the ACLs and the same-security-traffic permit inter-interface command.

You would not need to apply deny acls for unwanted traffic as traffic would need to be allowed in your ACL's all other traffic would be denied by default and typically you may follow up with a deny any any log at the bottom of your list anyway.

HTH

Stu

159
Views
4
Helpful
3
Replies
CreatePlease login to create content