topic hi Neno, in Network Security

ASA - same-security-traffic permit inter-interface VS access-list permit/deny

Ruslan Moldaliev — Tue, 12 Mar 2019 07:40:30 GMT

hi folks,

I'm wondering if I use same-security-traffic permit inter-interface command at ASA and I have 2 separate interfaces with the same security level and ACL with a couple of explicit permit rules, whether traffic not covered by those permit statements will be blocked by implicit deny in the end of ACL or am I completely wrong in my thinking?

Hello Ruslan-

nspasov — Wed, 27 Apr 2016 19:00:53 GMT

Hello Ruslan-

Check out the link below 🙂

Note All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse the ASA.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html

Thank you for rating helpful posts!

hi Neno,

Ruslan Moldaliev — Wed, 27 Apr 2016 19:45:33 GMT

hi Neno,

thanks, I saw this link, however it still doesn't answer my question.

and wonder what will be with the traffic in the case described by me, whether it will drop or no, this is the question.

Yes, the ACL rule(s) would be

nspasov — Wed, 27 Apr 2016 20:04:01 GMT

Yes, the ACL rule(s) would be examined and if traffic that is not permitted will be dropped.

Thank you for rating helpful posts!

hi Neno,

Ruslan Moldaliev — Mon, 02 May 2016 07:14:52 GMT

hi Neno,

thanks for the information.

also I tested it in production environment and seems my traffic is dropped by implicit deny.

and I wanted to ask if you encountered with something like this - I increased security level from 100 0 to 50 (I had both 100 0) and still need to have permit statement to allow traffic flows from interface with security level 50 to interface with security level 100 0.

is it expected behaviour?

Yes, you must explicitly

nspasov — Mon, 02 May 2016 07:14:53 GMT

Yes, you must explicitly permit traffic from a lower security level to a higher security level interface.

Thank you for rating helpful posts!

Neno,

Ruslan Moldaliev — Wed, 04 May 2016 20:51:22 GMT

Neno,

thanks for the explanation, but I admitted mistake in my previous post. please pay attention to strikethrough text.

what would you say about that case?

The only time when security

Marius Gunnerud — Thu, 05 May 2016 10:10:24 GMT

The only time when security-levels come into play is when you do not have an ACL configured on the interface. If an ACL is configured then it is the ACL that counts with the implicit deny at the end of the ACL. If there is no ACL on the interface then it is the security-level that comes into play.

Please remember to select a correct answer and rate helpful posts

Marius,

Ruslan Moldaliev — Thu, 05 May 2016 10:34:41 GMT

Marius,

do i understand you correctly that if I have ACL applied to the interfaces there is no matter what security-level is configured/present?

That is correct.

Marius Gunnerud — Thu, 05 May 2016 11:13:45 GMT

That is correct.

But then if you have an interface with an ACL and another interface without an ACL and you want to pass traffic between the two interfaces, then the interface without an ACL will rely on the security level while the interface with the ACL configured will rely on the ACL entries configured.

Please remember to select a correct answer and rate helpful posts

Ahh ok, that makes sense :)

nspasov — Thu, 05 May 2016 15:19:14 GMT

Ahh ok, that makes sense 🙂 Yes, that is also expected behavior. The security-level interface becomes irrelevant if an ACL is applied to filter traffic on that particular interface. Thus, traffic flow that is not permitted in the ACL will be dropped due to the "implicit deny" at the end of the ACL. Here is a link to another good thread that explains this very well:

https://supportforums.cisco.com/discussion/11539041/asa-firewall-interface-security-levels-and-access-lists

Thank you for rating helpful posts!

Re: That is correct.

sainathp — Wed, 27 Sep 2017 14:08:47 GMT

Hi..I have 2 interfaces DMZ1 and DMZ2 at the same security level. Traffic between the interfaces is allowed using:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

DMZ1 has no ACLs as it is a new VLAN created. DMZ2 has lot of ACLs. According to you, DMZ1 should look at security level first as there are no ACLs. Then, DMZ1 would see that it has same security level as DMZ2 and allow traffic by the virtue of above commands. But this is not happening. When I run a packet tracer, it is denied by implicit deny rule. So, the idea of of the above commands doesn't seem make sense at all. Please help me clear my confusion.

Re: Ahh ok, that makes sense :)

JRDIAZ758 — Mon, 12 Feb 2018 18:34:48 GMT

what if you have the ACL in place and not the inter-interface command.

would that cause traffic not to be allowed ?