Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1259
Views
0
Helpful
2
Replies

ASA Security Level

netbeginner
Level 2
Level 2

‎01-28-2020 09:18 AM

Hi All, 

 

Would like to get recommendations from you on ASA Security level and traffic flow. Have two scenarios.

 

1) ASA Firewall with Three Interfaces.

 

Interface Gig0/1  : Outside  (Security-Level 0)

Interface Gig0/2 :  Inside     (Security Level 100)

Inteface Gig0/3  : DMZ        (Security Level 50)

 

04 Access-Groups are available.

Inside Interface  : inside

Outside Interface : outside

DMZ Interface : dmz

Global :    global_access

 

- Where traffic coming from Outside (Security Level 0) to Inside (Security Level 100)  or DMZ (Security Level 50) ACL has to be applied on "outside"  access-list.

 

- When traffic coming from DMZ (Security Level 50) to Inside (security level 100), ACL require and has to be apply on "dmz" access-list.  

 

- But for revert traffic i.e. Traffic from Inside (Security Level 100)  to Outside (Security Level 0)    OR from DMZ (Security Level 50)  to Outside (Security Level 0) , there is no ACL/Filtering require due to Security-Level concept uptill here things are fine. 

 

But due to security reasons we want to apply traffic Policy(ACL filtering) also from Inside to Outside  -OR-  from DMZ to Outside without doing any major changes. Can we use "global_access" access-group/ACL.If yes, will this randomly impact or filter blocked or not open communication (communication which are blocked or not open in respective interfaces ACL). 

 

++++++++++++++++++

 

2) We are also checking feasibility for having Equal Security-Level in multiple zones.

 

Interface Gig0/1  : Outside  (Security-Level 0)

Interface Gig0/2 :  MZ-Prod     (Security Level 100)

Interface Gig0/3 : MZ-Non_Prod (Security Level 100)

Inteface Gig0/4  : DMZ        (Security Level 50)

 

Will create and use only one access-group "global_access" for filtering In & Out traffic each on MZ-Prod , MZ-Non_Prod , Outside and DMZ Interface. Does this make sense. 

 

Guess there is some additional/special configuration require to have same security level for multiple interfaces. what is that. 

 

Which one is the better solution for long term and in sense of security prospect , Point#1 or Point#2  

++++++++++++++++++++++++++++++

 

3) In  what cases ACL filtering require for Intra-Zone traffic. i.e If both Source and Destination are behind same Interface/Zone on Firewall. For Eg : If Source & Destination are behind the Inside Zone only.

 

I don't this this is the clever design. seeking recommendation from you all.

 

Rgds

***  

 

 

 

Labels:
0 Helpful
2 Replies 2

nspasov
Cisco Employee
Cisco Employee

‎01-28-2020 09:09 PM

Hi there-

There is a lot of information to process here and this can't probably be fully answered without a true whiteboard/design session. Nevertheless, a couple of things to mention:

1. You can apply different ACLs for different "directions" of an interface. That way you can have an outbound ACL on your "inside" interface that can provide the desired filtering for traffic that is exiting from the "inside" of your network. Same would apply for the DMZ and Outside interface

2. Using the same security level on several interfaces is totally fine. For instance, you can have several DMZ interfaces that have the same security level. Security levels are just a simple way for you to filter traffic between trusted and untrusted interfaces without the need of much configuration. 

3. By default, traffic between two interfaces with the same security level is denied. If you want to permit this, you can either use an ACL or a global configuration command: same-security-traffic permit inter-interface

4. If you want to communication between hosts connected to the same interface then you can use the global command: same-security-traffic permit intra-interface

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

netbeginner
Level 2
Level 2
In response to nspasov

‎01-28-2020 10:58 PM - edited ‎01-28-2020 11:22 PM

Hi NSP,

Big thanks for response.

Could you share some docs for Point#1 . With different security levels ...I have to apply Inbound ACL and Outbound ACL for Inside or DMZ interfaces.

 

For Point#3 , is execution of command "same-security-traffic permit intra-interface" really require to enabling communication between two hosts behind same interface.

Other end...if we do this, Then traffic between same security-level will also automatically allowed by default. Which we don't want.

 


Rgds

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card