Solved: Default behavior two security zones with same level - Cisco ASA 5508

andrej1.krnac@orange.com · ‎05-14-2018

Dear Gents,

I have specific question relating default behavior as following. I create two distinct security zones with same level on Cisco ASA 5508. My question would be what will be default behavior in terms of inter zone communications, if is it opened or what are there rules, implementation constraints, best practices or behavior in terms of IP traffic passing them. Any advice or reference would be highly welcomed. Best regards, Andrej

Diana Karolina Rojas · ‎05-14-2018

Hello Andre,

To do what you want you have to change the security leves putting a higher value for Zone1 than Zone 2, this will permit the traffic originate from zone1 to zone2 but not biceversa, if you can not chage this so you have to create ACLs in the interface that is in zone1 in order to permit the traffic you want to go to zone 2.

Do not forget to rate useful post.

Regards,

View solution in original post

Diana Karolina Rojas · ‎05-14-2018

Hello,

I will share you this post:

The ASA in default configuration prohibits any traffic between interfaces of the same security-level (i.e. the traffic will be dropped, if the incoming interface and the outgoing interface for that packet would have the same security-levek). This rule is applied to layer3 interfaces of the ASA (which may be physical interfaces or ethernet-subinterfaces as well as port-channel interfaces or "redundant-interfaces" or on an ASA5505, which is the only ASA with an integrated switch, VLAN interfaces, if those interfaces are logical firewall interface enabled by giving it a name with "nameif" command). This rule will especially prohibit a packet to enter and to leave the ASA through the same interface.

The Ethernet interfaces of an ASA5505 can never be layer3 interfaces (logical firewall interfaces), but in fact they are only switchports of the integrated switch (i.e. layer2-interfaces) and can not be configured as layer3 interfaces with something like "no switchport", so you can never give the "nameif" command to one of those switchports and the mentioned rule (traffic between layer3 interfaces of same security-level is prohibited) will never be applied to that switchports. strictly speaking traffic between ethernet interfaces within the same VLAN are not routed but switched (forwarded at layer2, not routed at layer3). If a host will sent traffic for a host in the same subnet to the ip address of the ASA for forwarding at layer3, the packet will be dropped, but by default the sending host will sent the packet directly to the target ip address in that case, and so the traffic will be allowed (it never reaches the layer3 interface of the ASA).

But because sometimes, it may be necessary to allow traffic between interfaces of the same security-level (or to allow traffic to enter and to leave the ASA through the same interface), there is a command "same-security-traffic permit" which disables that rule. This command comes in 2 flavours: "same-security-traffic permit intra-interface", which only allows traffic to enter and to leave through the same interface (but does not allow to forward traffic between different interfaces of same security-levek) and "same-security-traffic permit inter-interface" ,which allows only to forward traffic between different interfaces of the same security-level but does not allow traffic to enter and leave the ASA through the same interface (so if you need both, you have to specify both commands in your configuration).

One example, where "same-security-traffic permit intra-interface" is necessary, is, when you configure a remote-access VPN with "split-tunnel-policy tunnel-all" and want the client to be able to access the internet: in that case, the traffic from VPN client to internet runs encrypted to the ASA and enters the ASA through the "outside interface" and the leaves the ASA unencrypted through the outside interface. Without "same-security-traffic permit intra-interface", that traffic would be dropped.

you can review the detail here: https://learningnetwork.cisco.com/thread/101970

Do not forget to rate useful post.

Regards,

andrej1.krnac@orange.com · ‎05-14-2018

Dear Diana, many thanks for exhaustive answer. I do know that command which allows explicitly communication with such zones is same-security-traffic permit inter-interface But I would like to evolve question how to achieve opening communication just in one direction. Other way around how it is possible to allow communication from zone 1 -> zone 2 and keeping disallowing of zone 2 -> zone 1. So how to do it unilaterally? Many thanks for great support!

Diana Karolina Rojas · ‎05-14-2018

Hello Andre,

To do what you want you have to change the security leves putting a higher value for Zone1 than Zone 2, this will permit the traffic originate from zone1 to zone2 but not biceversa, if you can not chage this so you have to create ACLs in the interface that is in zone1 in order to permit the traffic you want to go to zone 2.

Do not forget to rate useful post.

Regards,

andrej1.krnac@orange.com · ‎05-14-2018

Dear Diana, many thanks for exhaustive clarification of this topic. Please one question slightly different nature. Suppose we would like to do partitioning by means of security context eventually. Does adding new context influence or disrupting existing traffic flowing across first partition aka context?