Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
4
Replies

Security levels and ACL's

chrish
Level 1
Level 1

‎06-27-2005 06:36 AM - edited ‎02-20-2020 09:27 PM

On a PIx 525 with IOs ver 7.0(1). What is the relation between security levels and ACL's. More specifically if all interfaces contain ACL's what role if any do the security levels play. If there is any documentation explaining this relationship please point me to it if you can.

Thanks

Labels:
0 Helpful
4 Replies 4

paddyxdoyle
Level 6
Level 6

‎06-27-2005 06:55 AM

Hi,

By default devices on an interface that has a low security level (outside) CANNOT communicate with devices on a high security level.

By default devices on an interface that has a high security level (inside) CAN communicate with devices on a low security level.

So this means that by default on a PIX, devices on the inside interface can talk to devices on the outside, but devices on the outside can't talk to devices on the inside.

This is where access lists come into play.

You can add an access list to the outside interface (or any interface) specifically permiting traffic based on source/destination IP and or UDP/TCP port numbers to the inside of your network.

If you want to restrict access from the inside interface to the outside, you can also add an access list and apply it to the inside interface which will have an implicy deny statement at the end so all traffic not specifically permitted in the access-list will be dropped.

HTH

Paddy

0 Helpful

chrish
Level 1
Level 1
In response to paddyxdoyle

‎06-27-2005 08:49 AM

So what I am trying to find out is once you apply ACL's is there any difference between an interface with a high security level and one with a low security level. Once ACL's are in place are security levels relevant at all?

0 Helpful

pcarvill
Level 1
Level 1
In response to chrish

‎06-27-2005 10:49 PM

Security levels will still be relevant if traffic has not matched your acl (ie if you have no explicit permits or denys at the end), however if your acl is set up to cater for all traffic flows then traffic will be allowed/disallowed based on acl and not on security levels.

0 Helpful

johansens
Level 4
Level 4
In response to chrish

‎06-30-2005 06:47 AM

They are very much in play if you run nat-control... but as "no nat-control" is default in PIX 7.0, they are less important..

If you run multiple contexts with shared interfaces, the security levels and static-statements are important considerations..

I'm sure there are some other obscure situations as well, but if you just want to worry about the ACL's, do a "same-security-traffic permit inter-interface", and run all interfaces on the same security level (ie security50 or something like that) and "no nat-control" as well...

Just my 2 cents.. :)

0 Helpful
Customers Also Viewed These Support Documents