Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1161
Views
0
Helpful
6
Replies

ACL and Security Levels

OGiron011
Level 1
Level 1

‎10-20-2015 03:24 PM - edited ‎02-21-2020 05:36 AM

Hi,

I'm trying to understand ACLs and Security levels.

 

I have a asa 8.2 (5) with three interfaces with security level 0, one with level 75 and one with level 100.  The 75 use to be 100 but i needed a new interface and more secure so I changed the 75 to 100 and assigned the new interface as 100.  Now on the three interfaces with level 0 i have ACLs for traffic initiating from that interface coming into the 75.

I need the 75 to access the 100 but if I apply an ACL to the 75, will it deny all other traffic going from the 75 to the 0s?  If yes, how can I work around this besides using the same security level and using same-security-traffic.

 

 

Regards

Oscar

0 Helpful
6 Replies 6

rvarelac
Level 7
Level 7

‎10-20-2015 06:03 PM

Hi Oscar, 

 

Let's think you have the following interfaces on your ASA. 

 

Outside = security level 0

DMZ = security level 75 

inside = security level 100

 

The interfaces with the higher security level can reach the resources to the lower security level , but not backwards.  Then the inside interface will be able to access resources on the DMZ and Outside interface, and the DMZ interface can reach the outside. 

 

If you want the DMZ interface to reach resources on the inside , you need to apply an ACL as below.

 

access-list example permit ip host 1.1.1.1 host 2.2.2.2 

access-group inside in 

 

hope it helps 

- Randy -

 

 

0 Helpful

OGiron011
Level 1
Level 1
In response to rvarelac

‎10-21-2015 11:20 AM

Hi Randy,

 

Thanks for the response. 

Using the example you gave, its confusing because you are applying the ACL on the inside instead of the DMZ.

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎10-21-2015 08:27 AM

 

Hi Oscar,

Security levels in ASA are define how traffic initiated from one interface to allowed to return from another interface.

Higher level security interface can initiate traffic to lower level without an access-list.Any traffic returning from higher level initiated communications are allowed to pass thru from lower to higher security level.

Higher the security level and more is the trusted level.

-GI

Rate if it Helps

 

 

 

0 Helpful

OGiron011
Level 1
Level 1
In response to Ganesh Hariharan

‎10-21-2015 11:33 AM

Hi GI,

Thanks for your response.

Sorry, my question was not clear.

If i apply an ACL on an interface with a low security level (DMZ = 75) to access a host on a higher security level (inside = 100), will this still allow traffic the DMZ to access an even lower security level (Internet = 0) without specifying it on the ACL?

 

Regards

0 Helpful

tarnhundal
Level 1
Level 1
In response to OGiron011

‎10-21-2015 02:54 PM

Hi Oscar,

Under stateful filter, if you are trying to reach any IP located Inside or other interface with higher level than Outside( lower level )  then you must have to apply ACL to allow access. But from Higher level to Lower there is no need to apply any kind of ACL unless if you are trying to achieve something very special.

All incoming traffic will be denied from lower level to higher level by default.

0 Helpful

OGiron011
Level 1
Level 1
In response to tarnhundal

‎10-22-2015 07:22 AM

Hi,

 

What I really need is to have two (2) inside interfaces. But I still need limited communications between the two inside interfaces using ACL.

 

Please let me know how we can do this.

 

Regards
 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card