07-10-2018 05:26 AM - edited 02-21-2020 07:58 AM
Hi everyone,
I am wondering if there is a possibility to allow inter-interface traffic with acls without allowing all traffic on the same security level. So first disallow everything and then allow traffic with normal acls. Is it not possible by design?
Example:
VLAN211_INSIDE(Sec.Lvl.:100) --> VLAN212_INSIDE (Sec.Lvl.:100)
Traffic is not allowed automatically on the same security level. This option is turned off.
07-10-2018 08:06 PM
07-11-2018 12:14 AM - edited 07-12-2018 12:46 AM
Hello Francesco,
thank you, I already know about this option, we use it in several of our smaller Cisco ASA clusters but it seems not to be a practical solution on our shared customer hosting firewall because imagine we have 200 customers and 50 global rules (for communication over the OUTSIDE interface) and when I now insert a deny rule on the end of every interface's incoming policy and activate the inter-interface feature then I'm disabling the 50 global rules and it would require me to duplicate the 50 rules 200 times resulting in 1000 policy rules instead of 50 policy rules
when I then want to do a modification in one of the "global" rules then I cannot do one change but I need to do 200 changes, right?
the ideal solution for us would be when there would exists an address element definition for "ANY INSIDE", in this case I could say in my final deny rule on every inside interface: deny any inside traffic but not deny traffic passing the outside interface
if there is no better already implemented solution from Cisco then I will maintain an address element group with all inside networks to achieve the required behaviour
Best regards
Thomas
07-11-2018 08:37 PM
08-24-2018 02:54 AM
Do you have any idea or suggestion? I also send you a PM in July.
08-24-2018 05:48 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide