09-16-2011 01:15 PM - edited 03-11-2019 02:26 PM
Hi all,
i know, in a common setup of an ASA i configure the inside interface as "most-trusted" with security-level 100, the outside interface with security-level 0 and my DMZ interfaces with a security-level between 1-99. I also understood that per default, traffic from higher security-levels to lower security-levels is permited and traffic from lower security-levels to higher security-levels is denied.
But as i usually configure an access-list on each interface anyway with the last entry being ip any any deny:
What would be the disadvantages if i configured each interface with security-level 0, also stating same-security-traffic permit inter-interface and no nat-control?
From what i undestand, to get traffic flow from a lower to a higer security-level two things are necessary:
1. an access-list allowing this traffic
2. a translation matching this traffic
Taking a look at my common setups:
1. Traffic from "inside" or "dmz" (a higher security-level to) to outside (a lower security level) does not need a translation to flow - but i always use dynamic and static nat for inside / dmz systems so no advantage using different security levels over using the same security-level?
2. Traffic from "outside" (lower security-levels) to "dmz" (higher security-levels) does need a translation to flow - but i always use static nat anyway in this case so no advantage using different security levels?
3. Traffic from "dmz" (lower security-levels) to "inside" (higher security levels) does need a translation - but i usually use a nat exemption so even a disadvantage using different security levels?
Whats the opinion of the gurus out there, is using the same security-level (0) on all interfaces usefull?
Or am I missing something and using the same security-level on all interfaces also has (serious) disadvantages?
Documentation mentions Inspection engines and Filtering is also affected but i don´t understand the consequences.
Could someone explain that to me or can someone share his experiences with using the same security-level on all interfaces?
Many thanks in advance!
Solved! Go to Solution.
09-16-2011 01:42 PM
Hello Thomashaecker,
All depends about how secure you want your network to be, all the statements you have placed on this questions are right.
If you dont have nat-control you will not need a translation to get from a lower security level interface to a higher and as you have same security level on all the interfaces you will not need and access-list as well.
The thing is that what changes is that you will need to create and ACL in each interface if you wanna make your network as secure as possible and as you said over this Discussion you always configure one on each interface so that would be ok.
This is more like a Security precaution to ensure that with the basic configuration of an ASA your network is going to be completely secure from an attack comming from the outside.
I hope this helps,
Julio
09-16-2011 01:42 PM
Hello Thomashaecker,
All depends about how secure you want your network to be, all the statements you have placed on this questions are right.
If you dont have nat-control you will not need a translation to get from a lower security level interface to a higher and as you have same security level on all the interfaces you will not need and access-list as well.
The thing is that what changes is that you will need to create and ACL in each interface if you wanna make your network as secure as possible and as you said over this Discussion you always configure one on each interface so that would be ok.
This is more like a Security precaution to ensure that with the basic configuration of an ASA your network is going to be completely secure from an attack comming from the outside.
I hope this helps,
Julio
09-16-2011 02:04 PM
Hello Julio,
thanks for your comment.
Good to hear i am not doing a mistake using security-level 0 on all interfaces (following the rules i mentioned) in my next setup.
Best regards
09-16-2011 02:31 PM
Hello Thomas,
My pleasure Thomas If you have any other question I will be more than glad to help you.
Have a great weekend,
Best Regards
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide