https://community.cisco.com/t5/network-security/asa-access-rules/m-p/2622322#M197046 <P>Hi,</P><P>&nbsp;</P><P>The <STRONG>"security-level"</STRONG> value of an interface (for the most part) only affects the connectivity through that interface if the interface <STRONG>DOES NOT</STRONG> have an ACL attached. So as soon as you attach the ACL to the interface then you need to allow/deny the traffic you need in that ACL and the <STRONG>"security-level"</STRONG> value does not apply anymore.</P><P>&nbsp;</P><P>The special cases where <STRONG>"security-level"</STRONG> value still plays a part is when you have 2 interfaces with equal <STRONG>"security-level"</STRONG> value. In that case even if you allow traffic in interface ACL the ASA will by default block the connections. In those cases you either have to change the <STRONG>"security-level"</STRONG> value so that they are <STRONG>NOT</STRONG> equal. Or if you dont want to change <STRONG>"security-level"</STRONG> value then you need to add the command <STRONG>"same-security-traffic permit inter-interface"</STRONG></P><P>&nbsp;</P><P>Other special case is when a connection goes in and out through the same interface. Most common example might be VPN Client connnections that come to the <STRONG>"outside" </STRONG>interface and leave to Internet through <STRONG>"outside"</STRONG> also. In this case you will need a similiar command as above. The command is <STRONG>"same-security-traffic permit intra-interface"</STRONG></P><P>&nbsp;</P><P>I would personally suggest using interface ACLs on each interface as using the <STRONG>"security-level" </STRONG>does not give you any chance to have specific rules. I guess in a simple setup you might use only the <STRONG>"security-level"</STRONG> but I use interface ACLs even on my home ASA.</P><P>&nbsp;</P><P>Hope this helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>- Jouni</P> Mon, 16 Feb 2015 11:00:07 GMT Jouni Forss 2015-02-16T11:00:07Z https://community.cisco.com/t5/network-security/asa-access-rules/m-p/2622321#M197045 <P>Hi All,</P><P>&nbsp;</P><P>Just need to confirm if I have understood about the access rules correctly.</P><P>Say I have three interfaces with security levels as specified.&nbsp;Inside(100), Outside(0) and DMZ(50).</P><P>By default, DMZ (Security Level of 50) can access Outside(0).</P><P>Say I have applied an incoming rule on the DMZ interface, will it still hold the default behavior of DMZ able to access Outside?&nbsp;</P><P>or do I need to specify an access-list to allow it? Please advise</P><P>&nbsp;</P><P>According to my testing, I need to allow it.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 05:30:28 GMT https://community.cisco.com/t5/network-security/asa-access-rules/m-p/2622321#M197045 rakeshvelagala 2019-03-12T05:30:28Z https://community.cisco.com/t5/network-security/asa-access-rules/m-p/2622322#M197046 <P>Hi,</P><P>&nbsp;</P><P>The <STRONG>"security-level"</STRONG> value of an interface (for the most part) only affects the connectivity through that interface if the interface <STRONG>DOES NOT</STRONG> have an ACL attached. So as soon as you attach the ACL to the interface then you need to allow/deny the traffic you need in that ACL and the <STRONG>"security-level"</STRONG> value does not apply anymore.</P><P>&nbsp;</P><P>The special cases where <STRONG>"security-level"</STRONG> value still plays a part is when you have 2 interfaces with equal <STRONG>"security-level"</STRONG> value. In that case even if you allow traffic in interface ACL the ASA will by default block the connections. In those cases you either have to change the <STRONG>"security-level"</STRONG> value so that they are <STRONG>NOT</STRONG> equal. Or if you dont want to change <STRONG>"security-level"</STRONG> value then you need to add the command <STRONG>"same-security-traffic permit inter-interface"</STRONG></P><P>&nbsp;</P><P>Other special case is when a connection goes in and out through the same interface. Most common example might be VPN Client connnections that come to the <STRONG>"outside" </STRONG>interface and leave to Internet through <STRONG>"outside"</STRONG> also. In this case you will need a similiar command as above. The command is <STRONG>"same-security-traffic permit intra-interface"</STRONG></P><P>&nbsp;</P><P>I would personally suggest using interface ACLs on each interface as using the <STRONG>"security-level" </STRONG>does not give you any chance to have specific rules. I guess in a simple setup you might use only the <STRONG>"security-level"</STRONG> but I use interface ACLs even on my home ASA.</P><P>&nbsp;</P><P>Hope this helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>- Jouni</P> Mon, 16 Feb 2015 11:00:07 GMT https://community.cisco.com/t5/network-security/asa-access-rules/m-p/2622322#M197046 Jouni Forss 2015-02-16T11:00:07Z