Solved: Re: same security level on ASA with no nat-control

bsrulez02 · ‎02-18-2011

Hi,

Our customer had a scenario where interfaces with different security level and with no nat-control statement was configured. Interfaces between which he enabled static nat started dropping other traffic with error that no translation found. (This is the background for below discussion)

Due to this customer is asking us to deploy his new firewall with all interfaces in same security level.

New firewall configuration summary:

1. Few interface on firewall is configured with same security level
2. "same security level command" has been enabled on the firewall
3. On all interface ACL is configured to inspect traffic coming in.
4. no nat-control (default) is configured in firewall

5. Interface connected to public network is in different security level (customer is asking to put all interface in same security level)

Question:

What all security issues will be involved if we use all interface in same security level, inspite of ACL to control traffic?

Is there really any nat issue which Cisco has identified when we use interfaces in same security level and with no nat-control satement

Related Product:

ASA 5520 with version 7.2

Thanks

Jennifer Halim · ‎02-18-2011

Same security level actually has nothing to do with NAT. To disable NAT, you use the command "no nat-control", and once you disable NAT, you can pass traffic from low to high or high to low security level without requiring any NAT. However, once you have a NAT statement on that interface, you pretty much disable the "no nat-control", ie: you will have to explicitly configure either static NAT or dynamic NAT between interfaces.

By having the same security level, you can freely pass traffic between interfaces with the same security level without the need to have access-list applied to the interface. If you however have an access-list applied to the interface, then you still require to explicitly allow traffic that you would like to allow.

So the reason why people have same security level interfaces are if those interfaces connect to the internal network and they want traffic to move freely between the interfaces without requiring any access-list, and in combination with "no nat-control" they also do not need any translation configuration.

Hope that helps.

View solution in original post

Jennifer Halim · ‎02-18-2011

Same security level actually has nothing to do with NAT. To disable NAT, you use the command "no nat-control", and once you disable NAT, you can pass traffic from low to high or high to low security level without requiring any NAT. However, once you have a NAT statement on that interface, you pretty much disable the "no nat-control", ie: you will have to explicitly configure either static NAT or dynamic NAT between interfaces.

By having the same security level, you can freely pass traffic between interfaces with the same security level without the need to have access-list applied to the interface. If you however have an access-list applied to the interface, then you still require to explicitly allow traffic that you would like to allow.

So the reason why people have same security level interfaces are if those interfaces connect to the internal network and they want traffic to move freely between the interfaces without requiring any access-list, and in combination with "no nat-control" they also do not need any translation configuration.

Hope that helps.

bsrulez02 · ‎02-21-2011

Thanks for your reply.

We have made all interfaces into one security level (this includes public and internal). However ACL is also in place for all interfaces. Hope this doesn't throw any security concerns.

Thanks

Jennifer Halim · ‎02-21-2011

If ACL is placed then there is no problem.

The reason why people use the same security level is to allow those interfaces to flow freely without the requirement of ACL, however, you can configure that with no problem.