Re: Interfaces with same security

adam.duffill · ‎12-30-2007

i am using and asa5520 with ios 7.2(3). I have assigned all interfaces into security level 0. I have configured access lists to permit traffic through the interfaces but all traffic is denied. when i allow traffic between interfaces with the same security level then it ignores the access-list and allows all traffic. I have also disabled NAT. Can anyone help me with this. it seems I am missing some small configuration detail.

JORGE RODRIGUEZ · ‎12-30-2007

Hi,..Im not clear on your post as to what you are trying to accomplish,I think it is important to understand same security level on interfaces and traffic between them to determined what you realy need to accomplish.

Same security level interfaces will required ACLs to communicate one another, this is in the event that the firewall does not have same-security-traffic permit inter-interface statement,on the other hand, if you do not want this efect and allow traffic flow between same security level interfaces without access-list then the above statement must be configured in asa global configuration

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167

Rgds

Jorge

Jorge Rodriguez

srue · ‎12-30-2007

sounds like the OP is new to 'security-levels'. If that's the case, just accept the defaults, at least for the inside and outside interfaces, of 100 and 0, respectively. DMZ's can fall anywhere in between 0-100, inclusive, depending on your needs.

To go from a lower to a higher security level (0 to 100, for example) requires the use of ACL's.

Interfaces of the same security level either use ACL's or permit all depending on the 'same-security...' command.