cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
304
Views
0
Helpful
1
Replies

Simple ASA Question

Dean Romanelli
Level 4
Level 4

Hi All,

I am relatively new to ASA's and I had a quick and simple question:

I have found that an outside interface with security level 0 will block everything unless object-groups and ACL's specify otherwise.  However, keeping with the idea that security level 100 on an inside interface can pass traffic to a security-level 0 interface since it is trusted, I am assuming that ACL's and Object-Groups for the Inside_to_Outside flow are not necessary/used-at-engineer's-discretion for traffic to pass.

Can someone verify if this is correct?

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The "security-level" of the interface will control where the traffic can flow through the firewall for as long as the interface has no ACL attached to it. As soon as you attach an ACL to the interface, the ACL will specify what can pass. At that point the "security-level" will have close to no meaning.

There are some situation that will require some additional commands also.

For example situations where the source and destination interface is configured with identical "security-level" or the traffic is entering and leaving the same interface.

  • same-security-traffic permit intra-interface = Permits traffic between hosts connected to the same interface
  • same-security-traffic permit inter-interface = Permits traffic between hosts connected to 2 different interfaces with identical security-levels.

Notice that in the case where you have 2 interfaces with identical "security-level" values, even if you permit all traffic it still wont pass unless you configure the corresponding command mentioned above.

There is also a command related to VPN which changes the ACL behaviour for traffic entering from a VPN connection to the ASA (past the ASA to some LAN for example)

Default setting for VPN connections is that they bypass the "outside" interface ACL check. To change this behaviour and to control entering VPN traffic on the "outside" interface ACL you can use the command "no sysopt connection permit-vpn"

The default setting is "sysopt connection permit-vpn". It doesnt show in the CLI configuration when its on that default setting. The "no" form of the command does show.

Hopefully the information was helpfull

Feel free to ask more

- Jouni

Review Cisco Networking for a $25 gift card