topic Allow traffic from lower security level to higher - ASA 5515 in Network Security

Allow traffic from lower security level to higher - ASA 5515

Pratik Prajapati — Fri, 21 Feb 2020 14:15:44 GMT

I am running latest 9.8.1 code. I need assistance in allowing traffic from lower security level to higher. Below is the config.

Interface g0/1

nameif inside
security-level 100
ip address 10.20.5.1 255.255.255.0 standby 10.20.5.2

interface g0/2

nameif DMZ1
security-level 15
ip address 10.20.3.1 255.255.255.0 standby 10.20.3.2

interface g0/3

description SQL subnet
vlan 5
nameif DMZ2
security-level 25
ip address 10.20.4.1 255.255.255.0 standby 10.20.4.2

I need help in allowing traffic both ways between inside and DMZ1 and inside and DMZ2.

Thank you in advance.

Re: Allow traffic from lower security level to higher - ASA 5515

Marvin Rhoads — Thu, 31 Aug 2017 17:07:15 GMT

Higher security to lower security is allowed by default. Only if you have an ACL applied for other reasons on the interface do you need to add a rule for traffic to lower security interfaces.

For the lower to higher use case you just need to permit it with an access-list and then assign the access-list with the access-group command.

In both cases, return traffic for a given flow is always allowed since the ASA is a stateful firewall.

Re: Allow traffic from lower security level to higher - ASA 5515

Pratik Prajapati — Thu, 31 Aug 2017 17:34:32 GMT

Sound dumb but I need help with creating those ACLs. I have tried different ways but haven't been successful.

Re: Allow traffic from lower security level to higher - ASA 5515

Marvin Rhoads — Thu, 31 Aug 2017 17:51:28 GMT

Two lines should do it. Assuming you want any host in DMZ2 to communicate with any host in DMZ1, something like this should work:

access-list dmz2-dmz1 permit ip 10.20.3.0 255.255.255.0 10.20.4.0 255.255.255.0

access-group dmz2-dmz1 in interface dmz2

Of course if that's your policy, you could just make them same security level and "permit same-security traffic intra-interface"

Re: Allow traffic from lower security level to higher - ASA 5515

KylePericak9919 — Sun, 16 Jun 2019 21:54:28 GMT

Hey, I know this is an old thread but its the top google result.

The problem with the written ACL solution is that the implicit deny at the end of the ACL will break the built-in permission for traffic to move from higher to lower level security zones. If you have a management network, an internal network for VMs, and an internet network (outside), adding one ACL to permit one VM to access one management network IP will break the outbound internet access.

Is there any way short of manually blocking traffic to each higher-level network, then allowing any any, to resolve this?

Re: Allow traffic from lower security level to higher - ASA 5515

Marvin Rhoads — Mon, 17 Jun 2019 02:33:04 GMT

@KylePericak9919 wrote:

...

Is there any way short of manually blocking traffic to each higher-level network, then allowing any any, to resolve this?

That's the recommended solution.

Typically, where the internal networks are RFC 1918, you can just do the single allow and then a couple of lines do deny the three RFC 1918 supernets (or one line of you define a network object group for 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) and then a final "allow any any".