Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7027
Views
5
Helpful
5
Replies

Allow traffic from lower security level to higher - ASA 5515

Pratik Prajapati
Level 1
Level 1

‎08-31-2017 08:48 AM - edited ‎02-21-2020 06:15 AM

I am running latest 9.8.1 code. I need assistance in allowing traffic from lower security level to higher. Below is the config.

 

Interface g0/1

nameif inside
security-level 100
ip address 10.20.5.1 255.255.255.0 standby 10.20.5.2

 

interface g0/2

nameif DMZ1
security-level 15
ip address 10.20.3.1 255.255.255.0 standby 10.20.3.2

 

interface g0/3

description SQL subnet
vlan 5
nameif DMZ2
security-level 25
ip address 10.20.4.1 255.255.255.0 standby 10.20.4.2

 

I need help in allowing traffic both ways between inside and DMZ1 and inside and DMZ2. 

 

Thank you in advance.

Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-31-2017 10:07 AM

Higher security to lower security is allowed by default. Only if you have an ACL applied for other reasons on the interface do you need to add a rule for traffic to lower security interfaces.

 

For the lower to higher use case you just need to permit it with an access-list and then assign the access-list with the access-group command.

 

In both cases, return traffic for a given flow is always allowed since the ASA is a stateful firewall.

0 Helpful

Pratik Prajapati
Level 1
Level 1
In response to Marvin Rhoads

‎08-31-2017 10:34 AM

Sound dumb but I need help with creating those ACLs. I have tried different ways but haven't been successful.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Pratik Prajapati

‎08-31-2017 10:51 AM

Two lines should do it. Assuming you want any host in DMZ2 to communicate with any host in DMZ1, something like this should work:

access-list dmz2-dmz1 permit ip 10.20.3.0 255.255.255.0 10.20.4.0 255.255.255.0

access-group dmz2-dmz1 in interface dmz2

Of course if that's your policy, you could just make them same security level and "permit same-security traffic intra-interface"

0 Helpful

KylePericak9919
Level 1
Level 1
In response to Marvin Rhoads

‎06-16-2019 02:54 PM

Hey, I know this is an old thread but its the top google result.

 

The problem with the written ACL solution is that the implicit deny at the end of the ACL will break the built-in permission for traffic to move from higher to lower level security zones. If you have a management network, an internal network for VMs, and an internet network (outside), adding one ACL to permit one VM to access one management network IP will break the outbound internet access.

 

Is there any way short of manually blocking traffic to each higher-level network, then allowing any any, to resolve this?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to KylePericak9919

‎06-16-2019 07:33 PM

@KylePericak9919 wrote:

...

Is there any way short of manually blocking traffic to each higher-level network, then allowing any any, to resolve this?

That's the recommended solution.

Typically, where the internal networks are RFC 1918, you can just do the single allow and then a couple of lines do deny the three RFC 1918 supernets (or one line of you define a network object group for 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) and then a final "allow any any".

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card