cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
520
Views
0
Helpful
4
Replies

Security levels and ACL's

chrish
Level 1
Level 1

On a PIx 525 with IOs ver 7.0(1). What is the relation between security levels and ACL's. More specifically if all interfaces contain ACL's what role if any do the security levels play. If there is any documentation explaining this relationship please point me to it if you can.

Thanks

4 Replies 4

paddyxdoyle
Level 6
Level 6

Hi,

By default devices on an interface that has a low security level (outside) CANNOT communicate with devices on a high security level.

By default devices on an interface that has a high security level (inside) CAN communicate with devices on a low security level.

So this means that by default on a PIX, devices on the inside interface can talk to devices on the outside, but devices on the outside can't talk to devices on the inside.

This is where access lists come into play.

You can add an access list to the outside interface (or any interface) specifically permiting traffic based on source/destination IP and or UDP/TCP port numbers to the inside of your network.

If you want to restrict access from the inside interface to the outside, you can also add an access list and apply it to the inside interface which will have an implicy deny statement at the end so all traffic not specifically permitted in the access-list will be dropped.

HTH

Paddy

So what I am trying to find out is once you apply ACL's is there any difference between an interface with a high security level and one with a low security level. Once ACL's are in place are security levels relevant at all?

Security levels will still be relevant if traffic has not matched your acl (ie if you have no explicit permits or denys at the end), however if your acl is set up to cater for all traffic flows then traffic will be allowed/disallowed based on acl and not on security levels.

They are very much in play if you run nat-control... but as "no nat-control" is default in PIX 7.0, they are less important..

If you run multiple contexts with shared interfaces, the security levels and static-statements are important considerations..

I'm sure there are some other obscure situations as well, but if you just want to worry about the ACL's, do a "same-security-traffic permit inter-interface", and run all interfaces on the same security level (ie security50 or something like that) and "no nat-control" as well...

Just my 2 cents.. :)