Pages

Tuesday, 8 May 2012

Using Interfaces with same security levels on Cisco ASA

Using Interfaces with same security levels on Cisco ASA

Most Cisco ASA firewall models allow you to have a maximum number of VLANs greater than 100 (e.g 150, 200, 250). Each Layer 2 VLAN on the ASA is essentially a different security zone, with its own Security Level number. As we know, security levels can range from 0 to 100 (i.e we have 101 security levels). One obvious question arises here:

How can we have lets say 150 VLANs on the firewall, but we have only 101 possible security levels?
The answer is simple: We can have the same security level number on different interfaces / subinterfaces (security zones). This feature will allow us to have more than 101 communicating interfaces on the firewall.

By default, interfaces with the same security level can not communicate between them. To allow traffic to flow freely between interfaces with same security level, use the following command:

ASA(config)# same-security-traffic permit inter-interface
There is another option also for this command:
ASA(config)# same-security-traffic permit intra-interface
The last command above allows traffic to enter and exit the same interface, which by default is not allowed. This is useful in networks where the ASA firewall acts as a HUB in a HUB-and-SPOKE VPN topology, where spokes need to communicate with each through the hub.

No comments:

Post a Comment