ASA Same security Levels - Inter-interface - Definitive understanding required

g-campbell · ‎12-17-2015

Hello,

As we all know sometimes Cisco documentation can be a little ambiguous and or vague in defining technical feature principals and this applies no less to the definition given to the ASA same security level feature.

I have been searching and searching to get a detailed answer but have failed miserably. I am unfortunately not in a position to lab this and depend on the information available.

I would be most grateful to receive a definitive description of the inter-interface feature to understand the following concepts:

When the same security-level inter-interface feature is disabled, and some interfaces have the same security level set, does the explicit ACL apply and anything permitted gets parsed and sent on?

Or is the same-level inter-interface command a pre-requisite to allow the ASA to process traffic destined to an interface of the same securite level regardless if an ACL is present in config?

When the same security-level inter-interface is enabled and an inbound ACL is applied, is the ACL bypassed completely so any traffic is permitted ignoring an ACL?

Or does an ACL get processed before the security-level inter-interface is checked?

Does anyone know of a link to a best practise and/or design document that explains this in great detail?

Does anyone know of a link that describes the processing architecture of the Cisco ASA that covers this feature?

Many thanks in advance for any help provided.

Best regards.

Shivapramod M · ‎12-17-2015

Hi,

If you run this command then it will allow all the traffic between two interfaces which has the security level same. If this command is enabled then you can control the traffic flow between these two interfaces using the ACL. If you have the permit ACL to pass certain traffic between these two interfaces and you do not enable this command then the traffic will be dropped by implicit rule. Once you have this command enabled then you can control the flow using the ACL.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Karsten Iwen · ‎12-17-2015

Lets start with some History ... ;-)

Long time ago, the ASA (or more exact, their predecessors) typically had less then 101 interfaces (which is the amount of possible security-level values). With that it was possible to give every interface a different security-level and control how they can communicate. At this time, there was no command to allow "same-security-traffic". As a feature, when two interfaces were configured with the same level, they could not communicate with each other at all. With that, these networks were separated regardless of any mistake that you do in your ACL.

Later, there were firewalls with more then 101 interfaces and to let all communicate with each other, a new functionality was needed. This is "same-security-level permit inter-interface". The default is still disabled and with that, all networks with the same security-levels are separated.

When you enable this function, then these interfaces can communicate with each other and your ACLs control which traffic is allowed and which is not allowed.

Nowadays you will often configure many interfaces with the same security-level and still let them communicate them with each other. The original idea was that the interface with the more trustworthy network gets the higher number. But often you can't decide which is trustworthier:

Your Webserver DMZ or your Mail-Relay-DMZ?
You link to your partner that you trust or your own DMZ that you control?

In these cases all these interfaces are often given the same security-level and the above command is needed to let them communicate with each other. Still, you only want to allow specific communication so you'll have ACLs on all your interfaces.