topic Re: Security Level Cisco 5506x in Network Security

Security Level Cisco 5506x

shehrozceh — Fri, 21 Feb 2020 15:02:29 GMT

I'm configuring interfaces by GUI in Cisco 5506x but i'm unable to configure security level for specific interface. I have two interfaces in up/up states and both are configured with security level 0. I just want to configure my inside interface with security level 100 so my internet traffic will be passed by default from higher to lower security level.

I have no command in CLI to configure security level but when i hit show running-config or show nameif so these commands are shown me required information with security level 0 but i'm unable to configure even through GUI.

I'm running FTD 6.1.0 Build 330 and this commands are accessible after (firepower login:)

Re: Security Level Cisco 5506x

Marius Gunnerud — Thu, 28 Dec 2017 07:34:13 GMT

FTD doesn't use security level as ASA does, but rather it uses security zones. When you issue the show nameif command you should see that all interfaces have security-level 0. This is because this is the most restrictive level and all other access should manually be configured.

Re: Security Level Cisco 5506x

shehrozceh — Thu, 28 Dec 2017 12:53:48 GMT

Alright i got it. But, i have configured manually the NAT and ACL policy but my internet traffic isn't pass through firewall. I had removed ACL entry and only configured NAT rule because initial traffic is allowed by default. Also i created two security zones 1. Inside 2. outside but i'm unable to allow my internet traffic and i'm doing all of this task by using GUI.

Can you please give an example about how to allow internet traffic using my firepower.

Re: Security Level Cisco 5506x

Marius Gunnerud — Thu, 28 Dec 2017 13:01:51 GMT

of course you are using GUI since Firepower doesn't allow configuration from CLI. But are you using FMC or ASDM?

So, you are just trying to get traffic from inside to outside (internet)? are you able to ping 8.8.8.8 from the FTD?

You need the following to get this to work:

a default route pointing towards your ISP router
a hide NAT statement translating your inside IP to the outside interface IP (remember to assosiate the NAT policy with the device as this is not done by default)
Access control policy with a rule allowing traffic from the inside to any destination on all ports

Re: Security Level Cisco 5506x

shehrozceh — Fri, 29 Dec 2017 05:10:59 GMT

I'm configuring my firewall using FDM (Firepower Device Manager) by typing my management IP address in browser https://MgmtIP

And yes, i'm able to ping 8.8.8.8 from my firewall i test by taking SSH.

I have configured a default route which is pointing towards ISP

I have configured NAT rule which is translating my inside IP addresses to outside

I have configured ACL which is allowing inside interface traffic to any destination.

Re: Security Level Cisco 5506x

Marius Gunnerud — Fri, 29 Dec 2017 07:39:14 GMT

have you checked the log events?

You could also ssh to the FTD and run system support firewall-engine-debug between your PC inside IP and an external IP (client and server). and see if there is a drop action being performed.

from CLI if you issue the command show running-config policy-map, is inspect icmp configured there?