Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
47276
Views
22
Helpful
12
Replies

ASA - same-security-traffic permit inter-interface VS access-list permit/deny

Go to solution
Ruslan Moldaliev
Level 1
Level 1

‎04-27-2016 03:30 AM - edited ‎03-12-2019 12:40 AM

hi folks,

I'm wondering if I use same-security-traffic permit inter-interface command at ASA and I have 2 separate interfaces with the same security level and ACL with a couple of explicit permit rules, whether traffic not covered by those permit statements will be blocked by implicit deny in the end of ACL or am I completely wrong in my thinking?

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Ruslan Moldaliev

‎05-05-2016 04:13 AM

That is correct.

But then if you have an interface with an ACL and another interface without an ACL and you want to pass traffic between the two interfaces, then the interface without an ACL will rely on the security level while the interface with the ACL configured will rely on the ACL entries configured.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Ruslan Moldaliev

‎05-05-2016 08:19 AM

Ahh ok, that makes sense :) Yes, that is also expected behavior. The security-level interface becomes irrelevant if an ACL is applied to filter traffic on that particular interface. Thus, traffic flow that is not permitted in the ACL will be dropped due to the "implicit deny" at the end of the ACL. Here is a link to another good thread that explains this very well:

https://supportforums.cisco.com/discussion/11539041/asa-firewall-interface-security-levels-and-access-lists

Thank you for rating helpful posts!

View solution in original post

12 Replies 12

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎04-27-2016 12:00 PM

Hello Ruslan-

Check out the link below :)

Note All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse the ASA.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html

Thank you for rating helpful posts!

Go to solution
Ruslan Moldaliev
Level 1
Level 1
In response to nspasov

‎04-27-2016 12:45 PM

hi Neno,

thanks, I saw this link, however it still doesn't answer my question.

and wonder what will be with the traffic in the case described by me, whether it will drop or no, this is the question.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Ruslan Moldaliev

‎04-27-2016 01:04 PM

Yes, the ACL rule(s) would be examined and if traffic that is not permitted will be dropped. 

Thank you for rating helpful posts!

Go to solution
Ruslan Moldaliev
Level 1
Level 1
In response to nspasov

‎05-02-2016 12:14 AM

hi Neno,

thanks for the information.

also I tested it in production environment and seems my traffic is dropped by implicit deny.

and I wanted to ask if you encountered with something like this - I increased security level from 100 0 to 50 (I had both 100 0) and still need to have permit statement to allow traffic flows from interface with security level 50 to interface with security level 100 0.

is it expected behaviour?

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Ruslan Moldaliev

‎05-02-2016 12:14 AM

Yes, you must explicitly permit traffic from a lower security level to a higher security level interface. 

Thank you for rating helpful posts!

0 Helpful

Go to solution
Ruslan Moldaliev
Level 1
Level 1
In response to nspasov

‎05-04-2016 01:51 PM

Neno,

thanks for the explanation, but I admitted mistake in my previous post. please pay attention to strikethrough text.

what would you say about that case?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Ruslan Moldaliev

‎05-05-2016 03:10 AM

The only time when security-levels come into play is when you do not have an ACL configured on the interface.  If an ACL is configured then it is the ACL that counts with the implicit deny at the end of the ACL.  If there is no ACL on the interface then it is the security-level that comes into play.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Ruslan Moldaliev
Level 1
Level 1
In response to Marius Gunnerud

‎05-05-2016 03:34 AM

Marius,

do i understand you correctly that if I have ACL applied to the interfaces there is no matter what security-level is configured/present?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Ruslan Moldaliev

‎05-05-2016 04:13 AM

That is correct.

But then if you have an interface with an ACL and another interface without an ACL and you want to pass traffic between the two interfaces, then the interface without an ACL will rely on the security level while the interface with the ACL configured will rely on the ACL entries configured.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Go to solution
sainathp
Level 1
Level 1
In response to Marius Gunnerud

‎09-27-2017 07:08 AM

Hi..I have 2 interfaces DMZ1 and DMZ2 at the same security level. Traffic between the interfaces is allowed using:

 

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

 

DMZ1 has no ACLs as it is a new VLAN created. DMZ2 has lot of ACLs. According to you, DMZ1 should look at security level first as there are no ACLs. Then, DMZ1 would see that it has same security level as DMZ2 and allow traffic by the virtue of above commands. But this is not happening. When I run a packet tracer, it is denied by implicit deny rule. So, the idea of of the above commands doesn't seem make sense at all. Please help me clear my confusion.

 

 

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Ruslan Moldaliev

‎05-05-2016 08:19 AM

Ahh ok, that makes sense :) Yes, that is also expected behavior. The security-level interface becomes irrelevant if an ACL is applied to filter traffic on that particular interface. Thus, traffic flow that is not permitted in the ACL will be dropped due to the "implicit deny" at the end of the ACL. Here is a link to another good thread that explains this very well:

https://supportforums.cisco.com/discussion/11539041/asa-firewall-interface-security-levels-and-access-lists

Thank you for rating helpful posts!

Go to solution
JRDIAZ758
Level 1
Level 1
In response to nspasov

‎02-12-2018 10:34 AM

what if you have the ACL in place and not the inter-interface command. 

 

would that cause traffic not to be allowed ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card