Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
0
Helpful
5
Replies

Cisco ASA Traffic Between two or more interfaces which are configured with same security level

thomas-cco
Level 1
Level 1

‎07-10-2018 05:26 AM - edited ‎02-21-2020 07:58 AM

Hi everyone,

 

I am wondering if there is a possibility to allow inter-interface traffic with acls without allowing all traffic on the same security level. So first disallow everything and then allow traffic with normal acls. Is it not possible by design?

 

Example:

VLAN211_INSIDE(Sec.Lvl.:100) --> VLAN212_INSIDE (Sec.Lvl.:100)

Traffic is not allowed automatically on the same security level. This option is turned off.

Labels:
0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎07-10-2018 08:06 PM

Hi Thomas

If you apply the command same-security permit inter-interface and you assign acls on each interfaces, the traffic will be filtered.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

thomas-cco
Level 1
Level 1
In response to Francesco Molino

‎07-11-2018 12:14 AM - edited ‎07-12-2018 12:46 AM

Hello Francesco,

 

thank you, I already know about this option, we use it in several of our smaller Cisco ASA clusters but it seems not to be a practical solution on our shared customer hosting firewall because imagine we have 200 customers and 50 global rules (for communication over the OUTSIDE interface) and when I now insert a deny rule on the end of every interface's incoming policy and activate the inter-interface feature then I'm disabling the 50 global rules and it would require me to duplicate the 50 rules 200 times resulting in 1000 policy rules instead of 50 policy rules

 

when I then want to do a modification in one of the "global" rules then I cannot do one change but I need to do 200 changes, right?

 

the ideal solution for us would be when there would exists an address element definition for "ANY INSIDE", in this case I could say in my final deny rule on every inside interface: deny any inside traffic but not deny traffic passing the outside interface

 

if there is no better already implemented solution from Cisco then I will maintain an address element group with all inside networks to achieve the required behaviour

 

Best regards

 

Thomas

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to thomas-cco

‎07-11-2018 08:37 PM

I don't see your reply, i get just a big S sign. Can you re-post your question please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

thomas-cco
Level 1
Level 1
In response to Francesco Molino

‎08-24-2018 02:54 AM

Do you have any idea or suggestion? I also send you a PM in July.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to thomas-cco

‎08-24-2018 05:48 PM

Sorry i missed your PM. I'll check and answer it.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card