07-26-2013 03:50 AM - edited 03-11-2019 07:17 PM
Hy everybody,
I have some doubt about the configuration of access-list and the security-level in the interfaces. In my configuration I'm using access-lists in all the interfaces (cisco asa 5525, IOS 9.1) and i'm using the same security-level for all these interfaces.
The issue that i had was that the traffic didn't match with the ace's in the access-list. So after a while i tried entering the global command
same-security-traffic permit inter-interface. After that the ace's in the access-list start to registered hit counts and the traffic started to pass through the Firewall.
I was reading in various site that if i'm using access-list on each interface of the ASA, the security levels no longer control what the initial traffic flows may be. With access lists, the initial traffic flow is completely controlled by entries in that access-list. However in my case this is not true.
I tried also to initiate a connection from a server without permission in the access-list and didnt work (trying to see if the control is completely controlled by the security-level).
Would be that this version of IOS have some bug? Or is a correct functioning of the same?
I hope that somebody can give me a clue of this.
Best regards.
Javier
Solved! Go to Solution.
07-26-2013 03:59 AM
Hi,
If you have no ACLs configured then the "security-level" is the value that determines where host behind some interface can connect to.
If you have ACL configured on the interface then that decides where the hosts behind that interface can connect to.
As you have noticed, there are a couple of situation where the above doesnt apply.
If you have 2 interfaces with equal "security-level" value THEN even if you had ACLs or not, you will need the global command "same-security-traffic permit inter-interface". This command enables communication between 2 interfaces of equal "security-level".
You might also run into a situation where your ASA acts as a VPN device also. You have configured VPN Client and are using Full Tunnel. You want to let the users use Internet connection through the ASA. In this case the Internet traffic would be entering from the clients on the "outside" interface and also heading to Internet through the "outside" interface. So the entry and exit interface are the same. In these cases you need the global command "same-security-traffic permit intra-interface". Otherwise the connection simply wont go through.
Hope this clarifies things
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
07-26-2013 03:59 AM
Hi,
If you have no ACLs configured then the "security-level" is the value that determines where host behind some interface can connect to.
If you have ACL configured on the interface then that decides where the hosts behind that interface can connect to.
As you have noticed, there are a couple of situation where the above doesnt apply.
If you have 2 interfaces with equal "security-level" value THEN even if you had ACLs or not, you will need the global command "same-security-traffic permit inter-interface". This command enables communication between 2 interfaces of equal "security-level".
You might also run into a situation where your ASA acts as a VPN device also. You have configured VPN Client and are using Full Tunnel. You want to let the users use Internet connection through the ASA. In this case the Internet traffic would be entering from the clients on the "outside" interface and also heading to Internet through the "outside" interface. So the entry and exit interface are the same. In these cases you need the global command "same-security-traffic permit intra-interface". Otherwise the connection simply wont go through.
Hope this clarifies things
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
07-26-2013 04:58 AM
Thank you very much Jouni for your quick answer!
Is there an official documentation about this? I was researching this for a while and I couldn't find nothing about it.
Cheers.
Javier
07-26-2013 05:05 AM
Hi,
Here is a couple of sections from a Configuration Guide
Security Levels
Same Security Level Communication
To be honest I didnt read about this initially when I started with Cisco firewalls. I use the typical route of not reading the manual and learning the hard way
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide