03-28-2006 07:24 PM - edited 03-09-2019 02:25 PM
For interfaces configured as same security level, and global command "same-security-traffic permit inter-interface ".
The traffic will flow between interfaces without require any NAT command. And by default traffic flow freely without access-list.
If I want the traffic can flow between interfaces without any NATing, but I need access control between two interfaces it is possible to apply access-list in the interfaces ?
Regards
03-28-2006 08:12 PM
Since access-lists are applied to interfaces without regard to which interface the traffic is bound for, you should be able to apply access-list statements that act on traffic flowing between the two same-security-level interfaces.
That is, when the access-group command is applied to an interface, it acts on all traffic entering that interface, regardless of where it is destined.
Hope that helps - pls rate the post if it does.
Paresh
03-28-2006 08:38 PM
I knew access-list can apply to any interfaces, but the question is does it work if the interface is same security level. Below last "bullet" statement from Cisco document cause me doubt about it.
Allowing Communication Between Interfaces on the Same Security Level
By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces provides the following benefits:
You want traffic to flow freely between all same security interfaces without access lists.
03-28-2006 09:01 PM
Seemed to have changed ! Same security levels can talk in 7.1 PIX ASA code if the is an access-list.
But I have never used this in the field so I am not sure if that will work.
;-(
To diable NAT you need a NAT exemtion:
-------------------------------------
access-list NONAT (extended) permit ip any any
nat securitylevel0interface (0) access-list NONAT
Security Level Usage Guidelines:
--------------------------------
The level controls the following behavior:
Network accessBy default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.
For same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower.
Inspection enginesSome inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.
NetBIOS inspection engineApplied only for outbound connections.
OraServ inspection engineIf a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.
FilteringHTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).
For same security interfaces, you can filter traffic in either direction.
NAT controlWhen you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).
Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.
established commandThis command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.
For same security interfaces, you can configure established commands for both directions.
Normally, interfaces on the same security level cannot communicate. If you want interfaces on the same security level to communicate, see the same-security-traffic command. You might want to assign two interfaces to the same level and allow them to communicate if you want to create more than 101 communicating interfaces, or you want protection features to be applied equally for traffic between two interfaces; for example, you have two departments that are equally secure.
If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.
Examples
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/cmd_ref/s1_711.htm#wp1233512
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide