Re: Cisco ASA 5520 Design Question

ruliffilur · ‎12-14-2010

Hello

Got a 5520 with all the clients coming in on one interface and got a few other interfaces with servers behind them. In our group we are discussing how set this up with access-lists and or security levels.

1: is to set lower security levlel on the client interface and a higher on the server interface then apply an access-list to the client interface in order to limit client access to the servers while the servers can communicate freely with the cliends.

2: or to have same security level on both interfaces and apply access-lists on both.

Our aim is to minimize the use of access-lists but on the other hand we are unsure if the servers are going to get full access to the clients or not.

Anyone have ideas to share?

//Rulif

Jennifer Halim · ‎12-14-2010

Typically, user/client network are configured with the highest security level (normally name: inside), and the server network would have lower security level than the inside network.

Example:

Inside network: security level 100

Server network: security level 50

Traffic from inside to server (if you don't have any ACL applied to inside interface) will be allowed by default.

Traffic from server to inside (because it is lower security level), will not be allowed by default, unless you configure ACL and apply it to the server interface to allow connection to be initiated from the server side.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

Hope that helps.