Does same-security-traffic require an access-list?

I have my AS configured with one 'outside' interface and three 'inside' interfaces, at security-level 0 and 100, respectively.  The in1/2/3->outside traffic can pass without an explicit access-list.  Outside->in1/2/3 traffic needs both an access-list and relevant statics.  This is as expected.

However, if I need one of the inside interfaces to talk to another, I either need to change the security-levels, or use same-security-traffic permit.  If I do the latter, which security model applies (i.e. will I have to explicitly permit the relevant in1->in2 traffic via access-list)?
LVL 16
jimbobmcgeeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
to get traffic from a lower security interface to a higher security interface (i.e from a DMZ to the inside) you need 2 things

1 A translation (either static NAT or a global and matching NAT statement)
2. An ACL allowing the traffic
0
jimbobmcgeeAuthor Commented:
Agreed.

But to get between two interfaces with the same security, using the 'same-security-traffic' keyword, is traffic implicity allowed (as per higher-to-lower) or implicitly denied (as per lower-to-higher)?
0
Pete LongTechnical ConsultantCommented:
Then you should not - if you had to, VPN hairpinning would not work
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

harbor235Commented:

You need this command "same-security-traffic permit inter-interface" to get traffic to flow between interfaces with the same security levels. Default behavior is not to allow the traffic through unless the command above is used.

harbor235 ;}
0
harbor235Commented:
"But to get between two interfaces with the same security, using the 'same-security-traffic' keyword, is traffic implicity allowed (as per higher-to-lower) or implicitly denied (as per lower-to-higher)?"

Using "same-security-traffic permit inter-interface" traffic is implicitly allowed, without it traffic is implictily denied.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167

harbor235 ;}
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jimbobmcgeeAuthor Commented:
Can you clarify on this a bit; what is/why should I care about VPN hairpinning?

Maybe some background will help (although, it is long, so will probably just scare you off):

I have three clients (A/B/C) in a rack sharing internet bandwidth provided by a single cable from the data-centre's core kit.  The client environments should not be able to see each other.

Rather than spending the money on three separate firewalls for these clients and some core kit 9i.e. router) to split the traffic, my company elected to bang them all on one ASA and give them each an interface with security-level 100 and a separate LAN range.  

All was well until client A decided that they needed to talk to client B.  Client A gave them the public IP addess and client B can't connect.  This is obviously because of the way the ASA deliberately prevents traffic going out and back in the 'outside' interface.

As such, if the two clients are to interact, they will have to do so directly via the LAN addresses.  This is acceptable to both, under the proviso that only traffic for this service (i.e. port) is allowed and that client C is still not able to see the other two.

I can't lower the security-level for client B, because client C would definitely be able to see client B.

This leads to why I am asking.  The 'same-security-traffic' option could allow traffic to pass across client A, B and C's interfaces.  My question is can I expect the ASA to prevent this traffic by default and have to allow A<->B traffic (preffered), or will I have to explicity deny C<->A and C<->B traffic?
0
jimbobmcgeeAuthor Commented:
>> Using "same-security-traffic permit inter-interface" traffic is implicitly allowed, without it traffic is implictily denied.Using "same-security-traffic permit inter-interface" traffic is implicitly allowed, without it traffic is implictily denied.

Thanks, harbor235.

As such, am I going about this the wrong way?  Can I just apply an access-list to allow traffic between two security-level 100 interfaces, without 'same-security-traffic'?
0
Pete LongTechnical ConsultantCommented:
>> Can I just apply an access-list to allow traffic between two security-level 100 interfaces, without 'same-security-traffic'?

No its a throwback same value used to mean traffic wil NOT flow

>>what is/why should I care about VPN hairpinning?

sorry you shouldn't that was my fault for clouding the water, I was using the other use for the same command, to demonstrate an ACL was not needed :)
0
jimbobmcgeeAuthor Commented:
So if I am going to achieve what I need to, I need to enable 'same-security-traffic' and add an access-list to explicitly deny A/B<->C...?
0
harbor235Commented:

Correct, easy enough especially if its to deny all traffic from A -> C etc ....

harbor235 ;}
0
jimbobmcgeeAuthor Commented:
I have now tried it with 'same-security-traffic permit inter-interface' and I still couldn't connect from client B to client A (using client A's server's LAN IP address) -- it just times out.

To date, I have tried it three ways:
  • 'same-security-traffic' not set, security-levels equal - times out (expected)
  • 'same-security-traffic' set, security-levels equal - times out (not expected)
  • 'same-security-traffic' not set, client A security-level lower - connection refused (not expected)
The connection refused event was instant, and 'portmap translation creation failed for tcp src in1:CLIENT_B_SERVER_IP/52533 dst in2:CLIENT_A_SERVER_IP/22' was shown in my syslog.

Might I be missing an access-list, access-group, static, route or something?

(I have upped the points to suit the increased complexity)
0
harbor235Commented:

Translation implies NAT, If you are also doing NAT then you must make sure you have nonat rules specifiying that traffic from in1 to in2 and in2 to in1 does not get nat'd. Your NAT config is wrong, can you post your santized config

harbor235 ;}
0
jimbobmcgeeAuthor Commented:
That looks like it's got it!!  I lowered the security-level for the target and added the source/target IPs to the nat0 access-lists for both interfaces and I got a connection.

Does that therefore mean that if I refrain from adding client C to the relevant nat0 lists, they will never be able to see the lower-security interface -- thus solving my problem?

J.
0
jimbobmcgeeAuthor Commented:
Actually, it's not 100% right -- it's passable, for now.  I have added the two entries to their respective nat0 lists, using a 'permit tcp ... eq 22' statement (the relevant configs lines are below), but the nat0 doesn't appear to honour the 'eq 22' part, I can query all ports on either server.

Does nat0 not work at the port level?

interface Ethernet0/0
 speed 100
 duplex full
 nameif out0
 security-level 0
 ip address SITE_WAN_IP 255.255.255.248 
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif in0
 security-level 100
 ip address CLIENT_C_GATEWAY_LAN_IP 255.255.255.0 
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif in1
 security-level 100
 ip address CLIENT_A_GATEWAY_LAN_IP 255.255.255.0 
!
interface Ethernet0/3
 speed 100
 duplex full
 nameif in2
 security-level 100
 ip address CLIENT_B_GATEWAY_LAN_IP 255.255.255.0 
!
 
same-security-traffic permit inter-interface
 
access-list in1_nat0_outbound extended permit tcp host CLIENT_A_SERVER_LAN_IP eq ssh host CLIENT_B_SERVER_LAN_IP eq ssh 
access-list in1_nat0_outbound remark ^^^ Workaround to allow Client B to upload to Client A SFTP
access-list in2_nat0_outbound extended permit tcp host CLIENT_B_SERVER_LAN_IP eq ssh host CLIENT_A_SERVER_LAN_IP eq ssh 
access-list in2_nat0_outbound remark ^^^ Workaround to allow Client B to upload to Client A SFTP
 
nat (in0) 0 access-list in0_nat0_outbound
nat (in0) 10 0.0.0.0 0.0.0.0
nat (in1) 0 access-list in1_nat0_outbound
nat (in1) 10 0.0.0.0 0.0.0.0
nat (in2) 0 access-list in2_nat0_outbound
nat (in2) 10 0.0.0.0 0.0.0.0

Open in new window

0
harbor235Commented:


nat0 is for defining what traffic does not get nat'd only, What are the ip networks for the internal interfaces?

Add the identity nat for the IPs as well;
static (in1,in2) 10.0.0.x 10.0.0.x netmask 255.255.255.255   (x = ip of clientA_server)


harbor235 ;}
0
jimbobmcgeeAuthor Commented:
>> What are the ip networks for the internal interfaces?
Consider them 172.17.a.0/24, 172.17.b.0/24 and 172.17.c.0/24

>> Add the identity nat for the IPs as well;
What does the 'identity' NAT achieve?  172.17.a.123 will not exist behind the 172.17.b.123 interface.

To clarify the requirement:
I only want client B's server to be able to connect to an SFTP server on client A's server and receive the necessary replies.  I don't want any of client B's other servers to connect to any other server behind client A's interface, nor any of client B's servers to any other service on client A's SFTP server.  I don't want client A's server(s) to be able to connect to client B's server.  I don't want client C to connect to (or be connected to from) client A or B.

J.
0
harbor235Commented:


Can you post your config? the question has changed

harbor235 ;}
0
jimbobmcgeeAuthor Commented:
You're right, I have gone off on a tanget somewhat.  As such, please find a suitable continuation question http:Q_23855765.html.

I will close off and assign for this one...

J.
0
jimbobmcgeeAuthor Commented:
Continued at http:Q_23855765.html to suit the additional requirements of the question
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.