cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
43838
Views
22
Helpful
12
Replies

ASA - same-security-traffic permit inter-interface VS access-list permit/deny

hi folks,

I'm wondering if I use same-security-traffic permit inter-interface command at ASA and I have 2 separate interfaces with the same security level and ACL with a couple of explicit permit rules, whether traffic not covered by those permit statements will be blocked by implicit deny in the end of ACL or am I completely wrong in my thinking?

2 Accepted Solutions

Accepted Solutions

That is correct.

But then if you have an interface with an ACL and another interface without an ACL and you want to pass traffic between the two interfaces, then the interface without an ACL will rely on the security level while the interface with the ACL configured will rely on the ACL entries configured.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Ahh ok, that makes sense :) Yes, that is also expected behavior. The security-level interface becomes irrelevant if an ACL is applied to filter traffic on that particular interface. Thus, traffic flow that is not permitted in the ACL will be dropped due to the "implicit deny" at the end of the ACL. Here is a link to another good thread that explains this very well:

https://supportforums.cisco.com/discussion/11539041/asa-firewall-interface-security-levels-and-access-lists

Thank you for rating helpful posts!

View solution in original post

12 Replies 12

nspasov
Cisco Employee
Cisco Employee

Hello Ruslan-

Check out the link below :)

Note All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse the ASA.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html

Thank you for rating helpful posts!

hi Neno,

thanks, I saw this link, however it still doesn't answer my question.

and wonder what will be with the traffic in the case described by me, whether it will drop or no, this is the question.

Yes, the ACL rule(s) would be examined and if traffic that is not permitted will be dropped. 

Thank you for rating helpful posts!

hi Neno,

thanks for the information.

also I tested it in production environment and seems my traffic is dropped by implicit deny.

and I wanted to ask if you encountered with something like this - I increased security level from 100 0 to 50 (I had both 100 0) and still need to have permit statement to allow traffic flows from interface with security level 50 to interface with security level 100 0.

is it expected behaviour?

Yes, you must explicitly permit traffic from a lower security level to a higher security level interface. 

Thank you for rating helpful posts!

Neno,

thanks for the explanation, but I admitted mistake in my previous post. please pay attention to strikethrough text.

what would you say about that case?

The only time when security-levels come into play is when you do not have an ACL configured on the interface.  If an ACL is configured then it is the ACL that counts with the implicit deny at the end of the ACL.  If there is no ACL on the interface then it is the security-level that comes into play.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marius,

do i understand you correctly that if I have ACL applied to the interfaces there is no matter what security-level is configured/present?

That is correct.

But then if you have an interface with an ACL and another interface without an ACL and you want to pass traffic between the two interfaces, then the interface without an ACL will rely on the security level while the interface with the ACL configured will rely on the ACL entries configured.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi..I have 2 interfaces DMZ1 and DMZ2 at the same security level. Traffic between the interfaces is allowed using:

 

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

 

DMZ1 has no ACLs as it is a new VLAN created. DMZ2 has lot of ACLs. According to you, DMZ1 should look at security level first as there are no ACLs. Then, DMZ1 would see that it has same security level as DMZ2 and allow traffic by the virtue of above commands. But this is not happening. When I run a packet tracer, it is denied by implicit deny rule. So, the idea of of the above commands doesn't seem make sense at all. Please help me clear my confusion.

 

 

 

Ahh ok, that makes sense :) Yes, that is also expected behavior. The security-level interface becomes irrelevant if an ACL is applied to filter traffic on that particular interface. Thus, traffic flow that is not permitted in the ACL will be dropped due to the "implicit deny" at the end of the ACL. Here is a link to another good thread that explains this very well:

https://supportforums.cisco.com/discussion/11539041/asa-firewall-interface-security-levels-and-access-lists

Thank you for rating helpful posts!

what if you have the ACL in place and not the inter-interface command. 

 

would that cause traffic not to be allowed ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: