topic Re: Cisco ASA Traffic Between two or more interfaces which are configured with same security level in Network Security

Cisco ASA Traffic Between two or more interfaces which are configured with same security level

thomas-cco — Fri, 21 Feb 2020 15:58:01 GMT

Hi everyone,

I am wondering if there is a possibility to allow inter-interface traffic with acls without allowing all traffic on the same security level. So first disallow everything and then allow traffic with normal acls. Is it not possible by design?

Example:

VLAN211_INSIDE(Sec.Lvl.:100) --> VLAN212_INSIDE (Sec.Lvl.:100)

Traffic is not allowed automatically on the same security level. This option is turned off.

Re: Cisco ASA Traffic Between two or more interfaces which are configured with same security level

Francesco Molino — Wed, 11 Jul 2018 03:06:39 GMT

Hi Thomas

If you apply the command same-security permit inter-interface and you assign acls on each interfaces, the traffic will be filtered.

Re: Cisco ASA Traffic Between two or more interfaces which are configured with same security level

thomas-cco — Thu, 12 Jul 2018 07:46:15 GMT

Hello Francesco,

thank you, I already know about this option, we use it in several of our smaller Cisco ASA clusters but it seems not to be a practical solution on our shared customer hosting firewall because imagine we have 200 customers and 50 global rules (for communication over the OUTSIDE interface) and when I now insert a deny rule on the end of every interface's incoming policy and activate the inter-interface feature then I'm disabling the 50 global rules and it would require me to duplicate the 50 rules 200 times resulting in 1000 policy rules instead of 50 policy rules

when I then want to do a modification in one of the "global" rules then I cannot do one change but I need to do 200 changes, right?

the ideal solution for us would be when there would exists an address element definition for "ANY INSIDE", in this case I could say in my final deny rule on every inside interface: deny any inside traffic but not deny traffic passing the outside interface

if there is no better already implemented solution from Cisco then I will maintain an address element group with all inside networks to achieve the required behaviour

Best regards

Thomas

Re: Cisco ASA Traffic Between two or more interfaces which are configured with same security level

Francesco Molino — Thu, 12 Jul 2018 03:37:53 GMT

I don't see your reply, i get just a big S sign. Can you re-post your question please?

Re: Cisco ASA Traffic Between two or more interfaces which are configured with same security level

thomas-cco — Fri, 24 Aug 2018 09:54:17 GMT

Do you have any idea or suggestion? I also send you a PM in July.

Re: Cisco ASA Traffic Between two or more interfaces which are configured with same security level

Francesco Molino — Sat, 25 Aug 2018 00:48:48 GMT

Sorry i missed your PM. I'll check and answer it.