Cisco ASA 5510 - vlan subinterfaces same or different security levels

Posted on 2011-05-13
Medium Priority
Last Modified: 2012-05-11
We have a ASA 5510 which is used for vendor and internet access. The vlan subinterfaces are at same security level and I have the “same-security-traffic permit inter-interface” for other network on other interface.

I applied the same security level to both the vendor and internet for some reason and I fail to remember. My boss wants me to change that but I want to make sure I will not break anything.

interface Ethernet0/0
 description INF - Router GE1/0/22:trunk
 speed 1000
 duplex full
 no nameif
 no security-level
 no ip address
interface Ethernet0/0.71
 vlan 71
 nameif OUTSIDE
 security-level 0
 ip address x.x.x.x x.x.x.x standby x.x.x.x
interface Ethernet0/0.72
 vlan 72
 nameif VENDORS
 security-level 0
 ip address x.x.x.x x.x.x.x standby x.x.x.x

When I route the traffic back from the router, all the traffic for the vendor netwrk has routes to vendor subinterface IP address.

Is there any reason why the subinterfaces should be at same security level?
Question by:hkdv
  • 3
  • 2
LVL 18

Expert Comment

ID: 35755203
No reason they should or shouldn't be.  It just depends on how you view traffic coming from that source.  You might argue that vendors should be at a slightly higher trust level (if there wasn't some basic level of trust you probably wouldn't be doing business with them) but you could just as easily argue the other way.  Personally, I would leave it the way it is. Does your boss have some particular reason he wants to trust the vendors more?

Assisted Solution

hkdv earned 0 total points
ID: 35755312
Since it would be a security risk for anything outside (internet) talk to the vendor network

I was under the impression that if we have nat-control enabled, along with “same-security-traffic permit inter-interface” configured, I need to have no-nat (NAT) configured. Is the logic wrong?
LVL 12

Expert Comment

ID: 35757692
If you have nat-control it just forces you to use NAT or NAT exemption rules when traffic is going from one interface to the other.
If there isn't NAT rule that traffic can match, it will be dropped.

I agree with jmeggers to leave it this way.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 12

Accepted Solution

Fidelius earned 2000 total points
ID: 35757785
Here is more precise answer from Cisco site:
"The nat-control command on the PIX/ASA specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global or a static statement) for that traffic to pass through the firewall. The nat-control command ensures that the translation behavior is the same as PIX Firewall versions earlier than 7.0. The default configuration of PIX/ASA version 7.0 and later is the specification of the no nat-control command. With PIX/ASA version 7.0 and later, you can change this behavior when you issue the nat-control command.

With nat-control disabled, the PIX/ASA forwards packets from a higher-security interface to a lower one without a specific translation entry in the configuration. In order to pass traffic from a lower security interface to a higher one, use access lists to permit the traffic. The PIX/ASA then forwards the traffic."

Author Comment

ID: 35890569

Author Closing Comment

ID: 35913735
same security interface and nat

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question