06-01-2012 08:53 AM - edited 03-11-2019 04:14 PM
Hi All
I have just started working on Cisco ASAs and working on following scenario:
3 Depts having 3 separate Networks given following names
Finance
Accounts
HR
Communication Between them should be restricted and allowed on specfic host and services. My approach is that I have assigned security level of "0"
to each of them and also enabled "same-security-traffic permit inter-interface", so that they can communicate with each other. Now what I have observed is that as soon as I enable same-security-traffic permit inter-interface traffic starts flowing among them without the need for any access-list. But as soon as I create an access list for some specific host , traffic stops flowing for all other hosts except for the one which was granted access in access-list.
Is my approach right? Please do advise, and also Is this a default behaviour of ASA to implicitly deny traffic for all host as soon as I place a acl after enabling same-security-traffic permit inter-interface.
Thanks and Regards
Solved! Go to Solution.
06-01-2012 09:51 AM
Hello,
If all of the networks zone have the same security level for your company then you can use the same one on them.
Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.
Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.
Regards,
Rate all the helpful pots
Julio
Security Engineer
06-01-2012 09:51 AM
Hello,
If all of the networks zone have the same security level for your company then you can use the same one on them.
Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.
Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.
Regards,
Rate all the helpful pots
Julio
Security Engineer
06-02-2012 02:36 AM
Thanks Julio
Somehow I am not conforatbale with higher/lower security levels concept, for me everthing network on my firewall is critical and I want to have granular control on each and every host in corporate network.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide