Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
0
Helpful
3
Replies

What would be the disadvantage(s) if i configured each interface with security-level 0

Go to solution
thomashaecker
Level 1
Level 1

‎09-16-2011 01:15 PM - edited ‎03-11-2019 02:26 PM

Hi all,

i know, in a common setup of an ASA i configure the inside interface as "most-trusted" with security-level 100, the outside interface with security-level 0 and my DMZ interfaces with a security-level between 1-99. I also understood that per default, traffic from higher security-levels to lower security-levels is permited and traffic from lower security-levels to higher security-levels is denied.

But as i usually configure an access-list on each interface anyway with the last entry being ip any any deny:

What would be the disadvantages if i configured each interface with security-level 0, also stating same-security-traffic permit inter-interface and no nat-control?

From what i undestand, to get traffic flow from a lower to a higer security-level two things are necessary:

1. an access-list allowing this traffic

2. a translation matching this traffic

Taking a look at my common setups:

1. Traffic from "inside" or "dmz" (a higher security-level to) to outside (a lower security level) does not need a translation to flow - but i always use dynamic and static nat for inside / dmz systems so no advantage using different security levels over using the same security-level?

2. Traffic from "outside" (lower security-levels) to "dmz" (higher security-levels) does need a translation to flow - but i always use static nat anyway in this case so no advantage using different security levels?

3. Traffic from "dmz" (lower security-levels) to "inside" (higher security levels) does need a translation - but i usually use a nat exemption so even a disadvantage using different security levels?

Whats the opinion of the gurus out there, is using the same security-level (0) on all interfaces usefull?

Or am I missing something and using the same security-level on all interfaces also has (serious) disadvantages?

Documentation mentions Inspection engines and Filtering is also affected but i don´t understand the consequences.

Could someone explain that to me or can someone share his experiences with using the same security-level on all interfaces?

Many thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-16-2011 01:42 PM

Hello Thomashaecker,

All depends about how secure you want your network to be, all the statements you have placed on this questions are right.

If you dont have nat-control you will not need a translation to get from a lower security level interface to a higher and as you have same security level on all the interfaces you will not need and access-list as well.

The thing is that what changes is that you will need to create and ACL in each interface if you wanna make your network as secure as possible and as you said over this Discussion you always configure one on each interface so that would be ok.

This is more like a Security precaution to ensure that with the basic configuration of an ASA your network is going to be completely secure from an attack comming from the outside.

I hope this helps,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-16-2011 01:42 PM

Hello Thomashaecker,

All depends about how secure you want your network to be, all the statements you have placed on this questions are right.

If you dont have nat-control you will not need a translation to get from a lower security level interface to a higher and as you have same security level on all the interfaces you will not need and access-list as well.

The thing is that what changes is that you will need to create and ACL in each interface if you wanna make your network as secure as possible and as you said over this Discussion you always configure one on each interface so that would be ok.

This is more like a Security precaution to ensure that with the basic configuration of an ASA your network is going to be completely secure from an attack comming from the outside.

I hope this helps,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
thomashaecker
Level 1
Level 1
In response to Julio Carvajal

‎09-16-2011 02:04 PM

Hello Julio,

thanks for your comment.

Good to hear i am not doing a mistake using security-level 0 on all interfaces (following the rules i mentioned) in my next setup.

Best regards

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to thomashaecker

‎09-16-2011 02:31 PM

Hello Thomas,

My pleasure Thomas  If you have any other question I will be more than glad to help you.

Have a great weekend,

Best Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card