Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
1
Replies

ASA Access Rules

Go to solution
rakeshvelagala
Level 3
Level 3

‎02-16-2015 02:18 AM - edited ‎03-11-2019 10:30 PM

Hi All,

 

Just need to confirm if I have understood about the access rules correctly.

Say I have three interfaces with security levels as specified. Inside(100), Outside(0) and DMZ(50).

By default, DMZ (Security Level of 50) can access Outside(0).

Say I have applied an incoming rule on the DMZ interface, will it still hold the default behavior of DMZ able to access Outside? 

or do I need to specify an access-list to allow it? Please advise

 

According to my testing, I need to allow it.

 

Thanks

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-16-2015 03:00 AM

Hi,

 

The "security-level" value of an interface (for the most part) only affects the connectivity through that interface if the interface DOES NOT have an ACL attached. So as soon as you attach the ACL to the interface then you need to allow/deny the traffic you need in that ACL and the "security-level" value does not apply anymore.

 

The special cases where "security-level" value still plays a part is when you have 2 interfaces with equal "security-level" value. In that case even if you allow traffic in interface ACL the ASA will by default block the connections. In those cases you either have to change the "security-level" value so that they are NOT equal. Or if you dont want to change "security-level" value then you need to add the command "same-security-traffic permit inter-interface"

 

Other special case is when a connection goes in and out through the same interface. Most common example might be VPN Client connnections that come to the "outside" interface and leave to Internet through "outside" also. In this case you will need a similiar command as above. The command is "same-security-traffic permit intra-interface"

 

I would personally suggest using interface ACLs on each interface as using the "security-level" does not give you any chance to have specific rules. I guess in a simple setup you might use only the "security-level" but I use interface ACLs even on my home ASA.

 

Hope this helps :)

 

- Jouni

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-16-2015 03:00 AM

Hi,

 

The "security-level" value of an interface (for the most part) only affects the connectivity through that interface if the interface DOES NOT have an ACL attached. So as soon as you attach the ACL to the interface then you need to allow/deny the traffic you need in that ACL and the "security-level" value does not apply anymore.

 

The special cases where "security-level" value still plays a part is when you have 2 interfaces with equal "security-level" value. In that case even if you allow traffic in interface ACL the ASA will by default block the connections. In those cases you either have to change the "security-level" value so that they are NOT equal. Or if you dont want to change "security-level" value then you need to add the command "same-security-traffic permit inter-interface"

 

Other special case is when a connection goes in and out through the same interface. Most common example might be VPN Client connnections that come to the "outside" interface and leave to Internet through "outside" also. In this case you will need a similiar command as above. The command is "same-security-traffic permit intra-interface"

 

I would personally suggest using interface ACLs on each interface as using the "security-level" does not give you any chance to have specific rules. I guess in a simple setup you might use only the "security-level" but I use interface ACLs even on my home ASA.

 

Hope this helps :)

 

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card