ASA security level concept question

ICFCISCO1 — Fri, 21 Feb 2020 13:11:53 GMT

Hi all

Need some help regarding ACL configuration.

Let's say I have an ASA with 4 interfaces (A, B, C and outside. Security levels for A,B,C are equal, outside is less)

All clients on networks A,B,C are allowed to connect to outside. In this case I don't need to configure an ACL as all traffic to less secure networks is allowed.

But what to do if I want to allow one host on interface A to connect to one host on interface B? Of course, I can add an ACE to interface' A inside ACL to allow that but will loose my implicit rule and connectivity to outside.

Is there a way to add an ACE on inside ACL for interface A allowing traffic that needs to go out of outside?

There is a command for this:

Marvin Rhoads — Sat, 24 May 2014 14:58:49 GMT

There is a command for this:

same-security-traffic permit inter-interface

If you only want to allow to a single host on the other same security interface then you need to be more creative with multiple ACEs in your access-list:

permit host to host

deny to the other subnets on the same security interfaces

permit to all others

topic ASA security level concept question in Network Security

ASA security level concept question

There is a command for this: