Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Firewall Same Security Level

For interfaces configured as same security level, and global command "same-security-traffic permit inter-interface ".

The traffic will flow between interfaces without require any NAT command. And by default traffic flow freely without access-list.

If I want the traffic can flow between interfaces without any NATing, but I need access control between two interfaces it is possible to apply access-list in the interfaces ?

Regards

3 REPLIES
Purple

Re: Firewall Same Security Level

Since access-lists are applied to interfaces without regard to which interface the traffic is bound for, you should be able to apply access-list statements that act on traffic flowing between the two same-security-level interfaces.

That is, when the access-group command is applied to an interface, it acts on all traffic entering that interface, regardless of where it is destined.

Hope that helps - pls rate the post if it does.

Paresh

New Member

Re: Firewall Same Security Level

I knew access-list can apply to any interfaces, but the question is does it work if the interface is same security level. Below last "bullet" statement from Cisco document cause me doubt about it.

Allowing Communication Between Interfaces on the Same Security Level

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces provides the following benefits:

•You want traffic to flow freely between all same security interfaces without access lists.

Re: Firewall Same Security Level

Seemed to have changed ! Same security levels can talk in 7.1 PIX ASA code if the is an access-list.

But I have never used this in the field so I am not sure if that will work.

;-(

To diable NAT you need a NAT exemtion:

-------------------------------------

access-list NONAT (extended) permit ip any any

nat securitylevel0interface (0) access-list NONAT

Security Level Usage Guidelines:

--------------------------------

The level controls the following behavior:

•Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.

For same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower.

•Inspection engines—Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

–NetBIOS inspection engine—Applied only for outbound connections.

–OraServ inspection engine—If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.

•Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).

For same security interfaces, you can filter traffic in either direction.

•NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

•established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

For same security interfaces, you can configure established commands for both directions.

Normally, interfaces on the same security level cannot communicate. If you want interfaces on the same security level to communicate, see the same-security-traffic command. You might want to assign two interfaces to the same level and allow them to communicate if you want to create more than 101 communicating interfaces, or you want protection features to be applied equally for traffic between two interfaces; for example, you have two departments that are equally secure.

If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.

Examples

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/cmd_ref/s1_711.htm#wp1233512

sincerely

Patrick

223
Views
0
Helpful
3
Replies