02-16-2015 02:18 AM - edited 03-11-2019 10:30 PM
Hi All,
Just need to confirm if I have understood about the access rules correctly.
Say I have three interfaces with security levels as specified. Inside(100), Outside(0) and DMZ(50).
By default, DMZ (Security Level of 50) can access Outside(0).
Say I have applied an incoming rule on the DMZ interface, will it still hold the default behavior of DMZ able to access Outside?
or do I need to specify an access-list to allow it? Please advise
According to my testing, I need to allow it.
Thanks
Solved! Go to Solution.
02-16-2015 03:00 AM
Hi,
The "security-level" value of an interface (for the most part) only affects the connectivity through that interface if the interface DOES NOT have an ACL attached. So as soon as you attach the ACL to the interface then you need to allow/deny the traffic you need in that ACL and the "security-level" value does not apply anymore.
The special cases where "security-level" value still plays a part is when you have 2 interfaces with equal "security-level" value. In that case even if you allow traffic in interface ACL the ASA will by default block the connections. In those cases you either have to change the "security-level" value so that they are NOT equal. Or if you dont want to change "security-level" value then you need to add the command "same-security-traffic permit inter-interface"
Other special case is when a connection goes in and out through the same interface. Most common example might be VPN Client connnections that come to the "outside" interface and leave to Internet through "outside" also. In this case you will need a similiar command as above. The command is "same-security-traffic permit intra-interface"
I would personally suggest using interface ACLs on each interface as using the "security-level" does not give you any chance to have specific rules. I guess in a simple setup you might use only the "security-level" but I use interface ACLs even on my home ASA.
Hope this helps :)
- Jouni
02-16-2015 03:00 AM
Hi,
The "security-level" value of an interface (for the most part) only affects the connectivity through that interface if the interface DOES NOT have an ACL attached. So as soon as you attach the ACL to the interface then you need to allow/deny the traffic you need in that ACL and the "security-level" value does not apply anymore.
The special cases where "security-level" value still plays a part is when you have 2 interfaces with equal "security-level" value. In that case even if you allow traffic in interface ACL the ASA will by default block the connections. In those cases you either have to change the "security-level" value so that they are NOT equal. Or if you dont want to change "security-level" value then you need to add the command "same-security-traffic permit inter-interface"
Other special case is when a connection goes in and out through the same interface. Most common example might be VPN Client connnections that come to the "outside" interface and leave to Internet through "outside" also. In this case you will need a similiar command as above. The command is "same-security-traffic permit intra-interface"
I would personally suggest using interface ACLs on each interface as using the "security-level" does not give you any chance to have specific rules. I guess in a simple setup you might use only the "security-level" but I use interface ACLs even on my home ASA.
Hope this helps :)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide