Cisco ASA 5510 - vlan subinterfaces same or different security levels

Posted on 2011-05-13
Last Modified: 2012-05-11
We have a ASA 5510 which is used for vendor and internet access. The vlan subinterfaces are at same security level and I have the “same-security-traffic permit inter-interface” for other network on other interface.

I applied the same security level to both the vendor and internet for some reason and I fail to remember. My boss wants me to change that but I want to make sure I will not break anything.

interface Ethernet0/0
 description INF - Router GE1/0/22:trunk
 speed 1000
 duplex full
 no nameif
 no security-level
 no ip address
interface Ethernet0/0.71
 vlan 71
 nameif OUTSIDE
 security-level 0
 ip address x.x.x.x x.x.x.x standby x.x.x.x
interface Ethernet0/0.72
 vlan 72
 nameif VENDORS
 security-level 0
 ip address x.x.x.x x.x.x.x standby x.x.x.x

When I route the traffic back from the router, all the traffic for the vendor netwrk has routes to vendor subinterface IP address.

Is there any reason why the subinterfaces should be at same security level?
Question by:hkdv
    LVL 18

    Expert Comment

    No reason they should or shouldn't be.  It just depends on how you view traffic coming from that source.  You might argue that vendors should be at a slightly higher trust level (if there wasn't some basic level of trust you probably wouldn't be doing business with them) but you could just as easily argue the other way.  Personally, I would leave it the way it is. Does your boss have some particular reason he wants to trust the vendors more?

    Assisted Solution

    Since it would be a security risk for anything outside (internet) talk to the vendor network

    I was under the impression that if we have nat-control enabled, along with “same-security-traffic permit inter-interface” configured, I need to have no-nat (NAT) configured. Is the logic wrong?
    LVL 12

    Expert Comment

    If you have nat-control it just forces you to use NAT or NAT exemption rules when traffic is going from one interface to the other.
    If there isn't NAT rule that traffic can match, it will be dropped.

    I agree with jmeggers to leave it this way.
    LVL 12

    Accepted Solution

    Here is more precise answer from Cisco site:
    "The nat-control command on the PIX/ASA specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global or a static statement) for that traffic to pass through the firewall. The nat-control command ensures that the translation behavior is the same as PIX Firewall versions earlier than 7.0. The default configuration of PIX/ASA version 7.0 and later is the specification of the no nat-control command. With PIX/ASA version 7.0 and later, you can change this behavior when you issue the nat-control command.

    With nat-control disabled, the PIX/ASA forwards packets from a higher-security interface to a lower one without a specific translation entry in the configuration. In order to pass traffic from a lower security interface to a higher one, use access lists to permit the traffic. The PIX/ASA then forwards the traffic."

    Author Comment


    Author Closing Comment

    same security interface and nat

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now