Menu

US Region

Grandmetric LLC
Brookfield Place Office
200 Vesey Street
New York, NY 10281
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

  • en
  • pl
  • Cisco ASA: Same security level interface

    Design & Configure

    Cisco ASA: Same security level interface

    Technology: Network Security
    Area: Firewalls
    Vendor: Cisco
    Software: 8.X, 9.X
    Platform: Cisco ASA

     

    ASA migration options

     

    Sometimes you cannot decide which interface should be higher or lower and you give two or more interfaces the same Security level. So how the rule number 1 applies? Traffic between equal security level interfaces is by default denied but you can change this behavior.

    To change this, use command:

    ASA#configure terminal
    ASA(config)#same-security-traffic permit inter-interface

    Above commands applies to traffic passing more than one interface (from on to another). What if you have traffic hairpining the same interface? The example could be VPN traffic with no split tunneling. All VPN users traffic which is vpn-encrypted bounces the outside interface and returns back to Internet unencrypted. This is intra-interface traffic and such scenario has to be allowed by intra command:

    ASA#configure terminal
    ASA(config)#same-security-traffic permit intra-interface

    Author: Marcin Bialy
     
    Grandmetric