Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3028
Views
0
Helpful
7
Replies

modify security level

Go to solution
wasahongNYC
Level 1
Level 1

‎08-04-2013 05:33 PM - edited ‎03-11-2019 07:21 PM

hello everyone,

Due to my mistake, I configured wrong security level.

my ASA's interface, named "inside" security level 100.

Many production servers are in the "inside" network.

so I would like to reconfigure the security level from 100 to 30.

I know it is going to affect the current connections.

Will it disconnect them?

(I think it will not disconnect them. but need to confirm again. )

Thanks in advance,

Thank you.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to johnlloyd_13

‎08-05-2013 01:54 AM

How many other interfaces do you have configured on your ASA?  Do any of these have a higher security level than the interface in question?  Do you have any ACLs configured on the interfaces including the inside interface?

If you have ACLs configured then you don't need to worry about down time as traffic flow is regulated by the ACLs.  If no ACLs are present then the security level on the interface will be in use. 

If the inside network needs to initiate traffic toward another network located on an interface with a higher security level, you will need to apply ACLs to permit traffic...that is if there are not ACLs already configured.

But as John has mention, best to do this during a maintenance window regardless of the current setup.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to wasahongNYC

‎08-05-2013 09:19 AM

Hi,

You have not mentioned if the is any ACL on the "inside", "DMZ2" or "DMZ1" interfaces?

You stated that the "outside" interface has an ACL configured.

I would personally suggest using interface ACLs instead of purely using the "security-level" value to determine what traffic is allowed.

It seems to me that since you have stated that traffic is allowed from "outside" to "inside" with ACL that the "security-level" change wont affect anything as ACL is already controlling this traffic. Not to mention the "security-level" of "inside" will still be higher than "outside", so no change there.

If we presume that NO ACLs has been configured on "DMZ1" and "DMZ2" at the moment then their hosts are not able to open connections to "inside" at the moment. This would mean that after the "security-level" change the hosts behind "DMZ1" and "DMZ2" would be able to connect to hosts/servers behind "inside"

If we presume there IS ACLs on the "DMZ1" and "DMZ2" interfaces already at this point allowing traffic that is needed to "inside" then the "security-level" change wont have any effect as all other ASA interfaces already have ACL rules allowing the traffic no matter what the "security-level" is.

With regards to the "inside" interface, if it doesnt have any ACLs configured at the moment then after the "security-level" change no connections to either "DMZ1" or "DMZ2" can be formed from behind "inside". If there is an ACL allowing all needed traffic then the change wont affect anything.

To my understanding existing connections formed through the ASA wont be affected by the "security-level" change but any new connection will be affected after the "security-level" is changed.

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
johnlloyd_13
Level 9
Level 9

‎08-04-2013 08:04 PM

Hi,

It would be advisable to schedule a downtime or maintenance window. This will help inform your users/sever admins you'll be performing a change control and avoid any disruption in the production environment.

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to johnlloyd_13

‎08-05-2013 01:54 AM

How many other interfaces do you have configured on your ASA?  Do any of these have a higher security level than the interface in question?  Do you have any ACLs configured on the interfaces including the inside interface?

If you have ACLs configured then you don't need to worry about down time as traffic flow is regulated by the ACLs.  If no ACLs are present then the security level on the interface will be in use. 

If the inside network needs to initiate traffic toward another network located on an interface with a higher security level, you will need to apply ACLs to permit traffic...that is if there are not ACLs already configured.

But as John has mention, best to do this during a maintenance window regardless of the current setup.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
wasahongNYC
Level 1
Level 1
In response to Marius Gunnerud

‎08-05-2013 08:44 AM

hi

the diagram is like this:

                        |

                        |

                        | ( outside, security level 0 )

(DMZ2,50) -----ASA -----------------------------------------( DMZ1, 70)

                        |

                        |

                        |  (inside, 100) (production servers are here)

The goal is

                        |

                        |

                        | ( outside, security level 0 )

(DMZ2,100) -----ASA -----------------------------------------( DMZ1, 70)

                        |

                        |

                        |  (inside, 50)  (production servers are here)

yes, I there is a ACL configured to control traffic from outside to inside

so I thought I can just shut down the DMZ1 and DMZ2 interfaces,

then re-configure the inside security level to 50,

then re-config DMZ1 and DMZ2 to 70 and 100.

does it work?

Thanks,

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to wasahongNYC

‎08-05-2013 09:19 AM

Hi,

You have not mentioned if the is any ACL on the "inside", "DMZ2" or "DMZ1" interfaces?

You stated that the "outside" interface has an ACL configured.

I would personally suggest using interface ACLs instead of purely using the "security-level" value to determine what traffic is allowed.

It seems to me that since you have stated that traffic is allowed from "outside" to "inside" with ACL that the "security-level" change wont affect anything as ACL is already controlling this traffic. Not to mention the "security-level" of "inside" will still be higher than "outside", so no change there.

If we presume that NO ACLs has been configured on "DMZ1" and "DMZ2" at the moment then their hosts are not able to open connections to "inside" at the moment. This would mean that after the "security-level" change the hosts behind "DMZ1" and "DMZ2" would be able to connect to hosts/servers behind "inside"

If we presume there IS ACLs on the "DMZ1" and "DMZ2" interfaces already at this point allowing traffic that is needed to "inside" then the "security-level" change wont have any effect as all other ASA interfaces already have ACL rules allowing the traffic no matter what the "security-level" is.

With regards to the "inside" interface, if it doesnt have any ACLs configured at the moment then after the "security-level" change no connections to either "DMZ1" or "DMZ2" can be formed from behind "inside". If there is an ACL allowing all needed traffic then the change wont affect anything.

To my understanding existing connections formed through the ASA wont be affected by the "security-level" change but any new connection will be affected after the "security-level" is changed.

- Jouni

0 Helpful

Go to solution
wasahongNYC
Level 1
Level 1
In response to Jouni Forss

‎08-05-2013 12:19 PM

access-group out_in in interface outside

access-group dmz_in in interface DMZ1

and,

there are no hosts on DMZ2 now.

Thanks for the detailed explanation.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to wasahongNYC

‎08-06-2013 12:05 AM

As mentioned earlier, If you have ACLs configured on all the interfaces the security-level of the interface has no meaning.  So, changing the security-level values will not affect the flow of traffic.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
wasahongNYC
Level 1
Level 1
In response to Marius Gunnerud

‎08-06-2013 06:11 AM

okay, I see,

thank you very much.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card