Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
626
Views
0
Helpful
3
Replies

Access list + security level IOS 9.1

Go to solution
javi_cesp
Level 1
Level 1

‎07-26-2013 03:50 AM - edited ‎03-11-2019 07:17 PM

Hy everybody,

I have some doubt about the configuration of access-list and the security-level in the interfaces. In my configuration I'm using access-lists in all the interfaces (cisco asa 5525, IOS 9.1) and i'm using the same security-level for all these interfaces.

The issue that i had was that the  traffic didn't match with the ace's in the access-list. So after a while i tried entering the global command

same-security-traffic permit inter-interface. After that the ace's in the access-list start to registered hit counts and the traffic started to pass through the Firewall.

I was reading in various site that if i'm using access-list on each interface of the ASA, the security levels no longer control what the initial traffic flows may be. With access lists, the initial traffic flow is completely  controlled by entries in that access-list. However in my case this is not true.

I tried also to initiate a connection from a server without permission in the access-list and didnt work (trying to see if the control is completely controlled by the security-level).

Would be that this version of IOS have some bug? Or is a correct functioning of the same?

I hope that somebody can give me a clue of this.

Best regards.

Javier

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-26-2013 03:59 AM

Hi,

If you have no ACLs configured then the "security-level" is the value that determines where host behind some interface can connect to.

If you have ACL configured on the interface then that decides where the hosts behind that interface can connect to.

As you have noticed, there are a couple of situation where the above doesnt apply.

If you have 2 interfaces with equal "security-level" value THEN even if you had ACLs or not, you will need the global command "same-security-traffic permit inter-interface". This command enables communication between 2 interfaces of equal "security-level".

You might also run into a situation where your ASA acts as a VPN device also. You have configured VPN Client and are using Full Tunnel. You want to let the users use Internet connection through the ASA. In this case the Internet traffic would be entering from the clients on the "outside" interface and also heading to Internet through the "outside" interface. So the entry and exit interface are the same. In these cases you need the global command "same-security-traffic permit intra-interface". Otherwise the connection simply wont go through.

Hope this clarifies things

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-26-2013 03:59 AM

Hi,

If you have no ACLs configured then the "security-level" is the value that determines where host behind some interface can connect to.

If you have ACL configured on the interface then that decides where the hosts behind that interface can connect to.

As you have noticed, there are a couple of situation where the above doesnt apply.

If you have 2 interfaces with equal "security-level" value THEN even if you had ACLs or not, you will need the global command "same-security-traffic permit inter-interface". This command enables communication between 2 interfaces of equal "security-level".

You might also run into a situation where your ASA acts as a VPN device also. You have configured VPN Client and are using Full Tunnel. You want to let the users use Internet connection through the ASA. In this case the Internet traffic would be entering from the clients on the "outside" interface and also heading to Internet through the "outside" interface. So the entry and exit interface are the same. In these cases you need the global command "same-security-traffic permit intra-interface". Otherwise the connection simply wont go through.

Hope this clarifies things

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful

Go to solution
javi_cesp
Level 1
Level 1
In response to Jouni Forss

‎07-26-2013 04:58 AM

Thank you very much Jouni for your quick answer!

Is there an official documentation about this? I was researching this for a while and I couldn't find nothing about it.

Cheers.

Javier

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to javi_cesp

‎07-26-2013 05:05 AM

Hi,

Here is a couple of sections from a Configuration Guide

Security Levels

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/interface_complete_routed.html#wp1323203

Same Security Level Communication

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/interface_complete_routed.html#wp1325183

To be honest I didnt read about this initially when I started with Cisco firewalls. I use the typical route of not reading the manual and learning the hard way

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card