cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
619
Views
0
Helpful
3
Replies

Access list + security level IOS 9.1

javi_cesp
Level 1
Level 1

Hy everybody,

I have some doubt about the configuration of access-list and the security-level in the interfaces. In my configuration I'm using access-lists in all the interfaces (cisco asa 5525, IOS 9.1) and i'm using the same security-level for all these interfaces.

The issue that i had was that the  traffic didn't match with the ace's in the access-list. So after a while i tried entering the global command

same-security-traffic permit inter-interface. After that the ace's in the access-list start to registered hit counts and the traffic started to pass through the Firewall.

I was reading in various site that if i'm using access-list on each interface of the ASA, the security levels no longer control what the initial traffic flows may be. With access lists, the initial traffic flow is completely  controlled by entries in that access-list. However in my case this is not true.

I tried also to initiate a connection from a server without permission in the access-list and didnt work (trying to see if the control is completely controlled by the security-level).

Would be that this version of IOS have some bug? Or is a correct functioning of the same?

I hope that somebody can give me a clue of this.

Best regards.

Javier

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

If you have no ACLs configured then the "security-level" is the value that determines where host behind some interface can connect to.

If you have ACL configured on the interface then that decides where the hosts behind that interface can connect to.

As you have noticed, there are a couple of situation where the above doesnt apply.

If you have 2 interfaces with equal "security-level" value THEN even if you had ACLs or not, you will need the global command "same-security-traffic permit inter-interface". This command enables communication between 2 interfaces of equal "security-level".

You might also run into a situation where your ASA acts as a VPN device also. You have configured VPN Client and are using Full Tunnel. You want to let the users use Internet connection through the ASA. In this case the Internet traffic would be entering from the clients on the "outside" interface and also heading to Internet through the "outside" interface. So the entry and exit interface are the same. In these cases you need the global command "same-security-traffic permit intra-interface". Otherwise the connection simply wont go through.

Hope this clarifies things

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni