cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
379
Views
0
Helpful
2
Replies

Security Levels

On the ASA's I know Higher security levels can access lower security levels.  Does that all change once an access list is applied to the higher level interface? For instance I have an inside interface within the 172.16.1.0/24 network.  The inside interface has a security level of 100 while the outside is at 0.  If I put an access list on the inside interface that permits the whole 172.167.1.0/24 network to any destination using tcp 80 and 443 does that mean that now that is the only traffic can pass from the inside because the implicit deny all would block all other traffic?  Would you now not be able to access an ftp source on the internet from the inside interface unless you added ftp to the permit statement?                    

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Yes its just like that.

The "security-level" of the interface is valid only as long as the interface is without ACL attached to it.

As soon as you attach an ACL to the interface, that ACL has to be used to define what traffic is allowed and what is denied.

There are some special cases also related to the "security-level"

In cases where you want to allow traffic to enter and leave the same interface you will need the "same-security-traffic permit intra-interface". Even if your ACL allowed the traffic, lacking this configuration would still block the traffic.

Also in situations where you have 2 interface with equal "security-level" you will need the configuration command "same-security-traffic permit inter-interface" to allow that traffic.

- Jouni

View solution in original post

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Yes its just like that.

The "security-level" of the interface is valid only as long as the interface is without ACL attached to it.

As soon as you attach an ACL to the interface, that ACL has to be used to define what traffic is allowed and what is denied.

There are some special cases also related to the "security-level"

In cases where you want to allow traffic to enter and leave the same interface you will need the "same-security-traffic permit intra-interface". Even if your ACL allowed the traffic, lacking this configuration would still block the traffic.

Also in situations where you have 2 interface with equal "security-level" you will need the configuration command "same-security-traffic permit inter-interface" to allow that traffic.

- Jouni

Thanks for the reply.  That answers my question.

Review Cisco Networking for a $25 gift card