Re: Cisco ASA interface security levels and the state table

[Soumen Paul <soumenpaul1977 () googlemail com>]

There should not be any issue.but in future if you want to achieve  
source and destination Nat for any packet or traffic traversing from  
low to high,nat configuration becomes complex.
7.2x OS nat ref guide can give you some idea.
I have come accross such scenario once. So just a heads up!

Sent from my iPhone



On 1 Jun 2009, at 21:32, Laurens Vets <laurens () daemon be> wrote:

> Hey there,
>
> swim_or_die () hotmail com wrote:
> > Greetings; our client has several ASA firewalls installed that are
> > configured with the outside interface set to a higher security level
> > (80) than the inside interface (20); their reasoning was at the time
> > that the backbone was to be more trusted than the stub networks,  
> which
> > is curious because there are no resources on the backbone.
>
> If by backbone you mean their internal company wide WAN/LAN  
> backbone, I can understand their reasoning a little bit: Traffic  
> from the stub networks (behind the 'inside' interface I presume?)  
> should not get on the backbone unless specifically permitted.  
> However, this can easily be achieved with a normal setup  
> (outside=20, inside=80:))
>
> What is this backbone used for at the moment?
>
> > In any case, it's not an issue right now because there is no NAT
> > taking place, and the rules in all directions are allow IP any.
>
> There's always NAT taking place; even not NATting traffic ("nat 0")  
> is 'NATting' unless they've disabled nat-control on their ASAs.  Is  
> this the case?
>
> > The client is resistant to changing the security levels to those
> > defined by best practices; their logic is that as they begin to add
> > rules for ingress and egress filtering on the interfaces, as long as
> > the access lists are all ended with an explicit deny statement, then
> > they are OK.
> >
> > Can anyone tell me if there are any issues that will arise with this
> > bass-ackwards configuration pertaining to the relationship between  
> the
> > interface security levels and the connections in the state table?
> > If so, any documentation to that effect would be helpful.
>
> I don't think any issues will arise even though their logic is a bit  
> 'different' :)
>
> You might want to check the "nat-control" command in the Cisco  
> documentation.  This might be what you are looking for to make this  
> all easier...
>
> Kind regards,
> L.
>
> --- 
> ---------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both  
> Instructor-Led and Online formats is the most concentrated exam prep  
> available. Comprehensive course materials and an expert instructor  
> means you pass the exam. Gain a laser like insight into what is  
> covered on the exam, with zero fluff!
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> --- 
> ---------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------