Solved: Cisco ASA - Security Level

AlessandroAlise · ‎08-05-2023

Hi All, i have a problem with this LAB:

This is the configuration of ASA:

ciscoasa# sh run

ASA Version 9.1(5)16
!
hostname ciscoasa

!
interface Ethernet0
no nameif
no security-level
no ip address
!
interface Ethernet0.10
description DATI-VLAN10
vlan 10
nameif DATI-VLAN10
security-level 80
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0.20
description DATI-VLAN10
vlan 20
nameif DATI-VLAN20
security-level 70
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 172.0.0.2 255.255.255.252
!
interface Ethernet2
nameif DMZ
security-level 30
ip address 10.55.0.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object-group network VLAN10-LAN-INTERNA
network-object 192.168.10.0 255.255.255.0
object-group network VLAN20-LAN-INTERNA
network-object 192.168.20.0 255.255.255.0
object-group network VLAN30-LAN-ESTERNA
network-object 10.99.73.0 255.255.255.0
object-group network SERVER-LAN-INTERNA
network-object 10.55.0.0 255.255.255.0
access-list OUTSIDE extended permit ip object-group VLAN30-LAN-ESTERNA object-group VLAN20-LAN-INTERNA
access-list OUTSIDE extended permit ip any object-group SERVER-LAN-INTERNA
access-list VLAN20 extended permit ip object-group VLAN20-LAN-INTERNA object-group VLAN10-LAN-INTERNA
access-list VLAN20 extended permit ip object-group VLAN20-LAN-INTERNA object-group VLAN30-LAN-ESTERNA
access-list VLAN20 extended permit ip object-group VLAN20-LAN-INTERNA object-group SERVER-LAN-INTERNA

mtu DATI-VLAN10 1500
mtu DATI-VLAN20 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-733.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group VLAN20 in interface DATI-VLAN20
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 172.0.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp

ciscoasa# sh nameif
Interface Name Security
Ethernet0.10 DATI-VLAN10 80
Ethernet0.20 DATI-VLAN20 70
Ethernet1 outside 0
Ethernet2 DMZ 30
ciscoasa#

All the books I've studied say that a higher security-level interface can be allowed towards a lower security-level interface, without ACL right? Indeed the PC1 in VLAN 10 (192.168.10.10) can reach all hosts without any ACL, but PC2 in VLAN 20 (192.168.20.20) has need of the ACLs:
access-list VLAN20 extended permit ip object-group VLAN20-LAN-INTERNA object-group VLAN30-LAN-ESTERNA
access-list VLAN20 extended permit ip object-group VLAN20-LAN-INTERNA object-group SERVER-LAN-INTERNA
for reach host in interface with lower securiy-level why?

I noticed that if i remove :
access-group VLAN20 in interface DATI-VLAN20
PC2 can't reach PC1 (it's OK,Sec-Level VLAN10>VLAN20 need ACL), but can reach PC3 and Server...

Who can explain this to me?
Thanks!

Jonatan Jonasson · ‎08-05-2023

How the security levels work has a long history and dates back to when we had Cisco PIX using conduits, not ASA's with access-lists.

While some of the basic concepts still work the same with default configuration, you have to consider that the moment you are using access-lists on an interface, the access-list is going to govern all traffic input on that interface regardless of the security level, with an implicit deny rule at the end.

When you remove the "access-group VLAN20 in interface DATI-VLAN20", PC2 cannot reach PC1 because PC1 is in a higher security zone. As described in the documentation you mentioned.

When you add the "access-group VLAN20 in interface DATI-VLAN20", you have an access-list with an implicit "deny ip any any" at the end that doesn't show up in the config.
So once you have added an access-list entry(ACE) to allow PC2 to contact PC1, the access-list effectively looks like this:

access-list VLAN20 extended permit ip object-group VLAN20-LAN-INTERNA object-group VLAN10-LAN-INTERNA
access-list VLAN20 extended deny ip any any

(The "deny" command just doesn't show up in the config, access-lists have an implicit deny any any at the end.)

Which is why if you want PC2 to be able to communicate to other zones/interfaces, you need a permit entry in the VLAN20 access-list, to access the DMZ, outside, or anything.

In practice, you would probably have an access-list attached inbound to all interfaces, at which point you will stop considering the security-level of each interface and start focusing only on what the access-lists allows or disallows.

View solution in original post

Jonatan Jonasson · ‎08-05-2023