Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
5
Helpful
2
Replies

Admin

oracular
Level 1
Level 1

‎05-18-2017 02:33 PM - edited ‎03-12-2019 02:23 AM

Hello,

I would like to change the security level of one sub-Interface GigabitEthernet 0/0.60 from "higher to lower" (2 to 10 or 20). ASDM give me warning notice " Changing the security level of an interface may cause your ASA configuration to become invalid, causing the ASA to drop legal traffic or allow illegal traffic to pass through. Do you still wish to proceed? 

I don't have any important traffic on it right now - will that effect any other sub-interfaces or not ? should i go proceed further with it?

Thank for the clarification. 

-m

Labels:
Preview file
24 KB
0 Helpful
2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni

‎05-18-2017 03:50 PM

Hi 

This is a normal warning message. 

Let's take an example to explain that message. 

Let's assume you have 2 interfaces, 1 with security level 100 and the other with 50. You've activated the feature to allow communication between interface with same level of security. Right now, there won't be any communication unless you create some acl. 

Now you want to change the security level of 50 to 100. Add you've authorized the communication between same security level interfaces, there communication will flow through those 2 interfaces where before it wasn't. 

If we took the other way, you want to decrease the security level from 100 to 40. Before the communication from interface with level 100 was able to communicate per default with interface level 50. Now as you've decreased it, the communication won't be allowed unless you create specific rules. 

In your case, if you're still deploying and don't have important traffic you can move forward and ignore this message. But keep an eye on logs to validate that you're not dropping or allowing unwanted traffic. 

Hope that answers your question 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

jayr
Level 1
Level 1
In response to Francesco Molino

‎09-11-2017 09:24 PM

This message freaks me out when making a change on a production firewall. Just confirming that adding a new interface I can configure the security level on the new interface to whatever I want and it wont have any affect over the other networks ? (aside from potentially permitting or denying traffic in/out of this new network)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card