08-29-2013 07:37 AM - edited 03-11-2019 07:32 PM
Hello,
I need to change the security-level on an interface for a cisco asa 5520. I am not sure if this will cause downtime, can someone please inform me? I cannot seem to find anything on the internet about this. Thanks in advance.
Solved! Go to Solution.
08-29-2013 07:51 AM
Hi,
If you have interface ACLs configured on all interfaces already then changing the "security-level" will not change anything.
If you however have some interfaces that dont use ACLs and you are for example changing some other interfaces "security-level" to a higher value than the interface which doesnt have an interface ACL, then you might start blocking all traffic from behind the interface with no ACL to the network behind the interface thats "security-level" got changed.
There is also one NAT related issue that might arise from changing "security-level" value but it only applies to software level 8.2 and below. It also is a NAT configuration that is very rare (atleast I have not run into it that many times)
This NAT related situation specifically comes when you are doing Dynamic NAT/PAT and the source addresses/networks are behind an interface which "security-level" is lower than the destination interfaces.
A simple example could be
interface GigabitEthernet0/0
nameif outside
security-level 0
ip add 1.1.1.2 255.255.255.248
interface GigabitEthernet0/1
nameif 3rdparty
security-level 2
ip add 2.2.2.2 255.255.255.248
If you wanted to configure Dynamic PAT between these interfaces then the "nat" command would require an extra parameter at the end. Specifically "outside" (this doesnt refer to any interface name)
global (3rdparty) 1 interface
nat (outside) 1 10.10.10.0 255.255.255.0 outside
The above configuration is meant to illustrate a situation for example where you want some VPN Client or L2L VPN remote network to be able to access some 3rd party site and the "security-level" values of the interfaces are the other way around than typically from going from secure to unsecure.
There might also be some minor cosmetic changes in the command output and syslogs. For example the "security-level" defines in what order the "show conn" output is shown for the source and destination IP address. Also the connection forming logs are mentioned as either "inbound" or "outbound" based on the "security-level" value. (Outbound from higher to lower and Inbound from lower to higher)
But as I said, these are just cosmetic changes.
There might be some other things but I cant think of anything else than the ones above.
- Jouni
08-29-2013 07:51 AM
Hi,
If you have interface ACLs configured on all interfaces already then changing the "security-level" will not change anything.
If you however have some interfaces that dont use ACLs and you are for example changing some other interfaces "security-level" to a higher value than the interface which doesnt have an interface ACL, then you might start blocking all traffic from behind the interface with no ACL to the network behind the interface thats "security-level" got changed.
There is also one NAT related issue that might arise from changing "security-level" value but it only applies to software level 8.2 and below. It also is a NAT configuration that is very rare (atleast I have not run into it that many times)
This NAT related situation specifically comes when you are doing Dynamic NAT/PAT and the source addresses/networks are behind an interface which "security-level" is lower than the destination interfaces.
A simple example could be
interface GigabitEthernet0/0
nameif outside
security-level 0
ip add 1.1.1.2 255.255.255.248
interface GigabitEthernet0/1
nameif 3rdparty
security-level 2
ip add 2.2.2.2 255.255.255.248
If you wanted to configure Dynamic PAT between these interfaces then the "nat" command would require an extra parameter at the end. Specifically "outside" (this doesnt refer to any interface name)
global (3rdparty) 1 interface
nat (outside) 1 10.10.10.0 255.255.255.0 outside
The above configuration is meant to illustrate a situation for example where you want some VPN Client or L2L VPN remote network to be able to access some 3rd party site and the "security-level" values of the interfaces are the other way around than typically from going from secure to unsecure.
There might also be some minor cosmetic changes in the command output and syslogs. For example the "security-level" defines in what order the "show conn" output is shown for the source and destination IP address. Also the connection forming logs are mentioned as either "inbound" or "outbound" based on the "security-level" value. (Outbound from higher to lower and Inbound from lower to higher)
But as I said, these are just cosmetic changes.
There might be some other things but I cant think of anything else than the ones above.
- Jouni
08-29-2013 07:56 AM
Thanks for the information Jouni. This is a new interface that doesn't have any rules on it at the moment and I don't believe any other interfaces need access to this interface at the moment. And this ASA is using code version 8.3(2) so it sounds like I should be good. Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide