Solved: ASA Same Security-Level 100

tselby3 · ‎08-19-2024

Hi

We are moving from an EVPL to SDWAN, and for that I needed to configure another interface on the ASA (it currently has a 0-security level). What I would like to do is to have the two interfaces (inside and SDWAN) have the same security level of 100 so that they are trusted and pass traffic between them without issue. When using ASDM to change the security level on the new interface to 100, I get a prompt “Changing the security level of an interface may cause your ASA configuration to become invalid, causing the ASA to drop legal traffic or allow illegal traffic to pass through” which makes me hesitate. Also, with a change in the security level of 100 on the new interface, will it get the same implicit rule of “Permit all traffic to less secure networks” that our inside interface currently has, and will it affect that implicit rule on the inside interface?

I do see that the same-security communication is enabled so that anything with the same security level isn’t denied.

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Currently using ASA 5516 with ASA Version 9.6(1)

Any input would be appreciated.

Thanks

MHM Cisco World · ‎08-20-2024

Sorry I dont get all your Q
but let summary the level with ACL and same-security-traffic command cases

Case1

A- SDWAN
have level 100
no ACL apply Inbound

B- IN
have level 100
no ACL apply Inbound

need same-security-traffic command allow traffic

Case2

A-SDWAN
have level 100
ACL apply Inbound specific traffic can allow <<- this ACL is optional

B- IN
have level 100
no ACL apply Inbound

need same-security-traffic command allow traffic

Case3
A- SDWAN
have level 0
ACL apply Inbound specific traffic can allow <<- this ACL is mandatory for traffic initiate from SDWAN subnet to IN subnet
(note:- if you want to allow all traffic use permit ip any any)

B- IN
have level 100
no ACL apply Inbound

MHM

View solution in original post

MHM Cisco World · ‎08-19-2024

If there is ACL apply to any interface then it will override the security level

Note:- since you use same secuirty level you need mandatory use two commands

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

MHM

tselby3 · ‎08-20-2024

Thank you for your reply, MHM.

If I may explain further...

1. I have an outside interface with a security level of 0 with 11 incoming rules.

2. I have an inside interface with a security level of 100 with an Implicit rule: Permit all traffic to less secure networks.

3. I have an sdwan interface currently with a security level of 0 with no implicit rules applied.

4. The same security level permits are enabled (same-security-traffic permit inter-interface and same-security-traffic permit intra-interface)

A few questions below...

1. With no incoming rules tied to the sdwan interface other than the security level of 0, bumping it up to security level 100 with no rules applied, it defaults to the global same-security-traffic permit inter-interface to pass along traffic to the same security level?

2. Will the implicit rule on the inside interface remain in place with the sdwan interface being bumped up to security level 100?

3. Raising the security level on the sdwan interface to 100 shouldn't cause the current configuration to become invalid or drop legal traffic since the sdwan interface has no acl rules in place, it will just pass traffic along to the inside interface even though the inside interface has the implicit rule permit traffic to les secure networks?

My assumption is that I can change the security level of the sdwan interface to 100 on the fly without any disruption or issue to the current flow, and I will not have to apply an ACL for it to pass along traffic along to the inside interface.

Apologize for the noob questions, but this is a crash course on this firewall and I like to have an understanding of what the end result will be.

Again, any input would be appreciated.