A firewall differentiates its interfaces by providing more security to some and less security to others. Therefore, it is important to understand how the interfaces relate to each other and how access is provided as traffic moves through a firewall.
| TIP |
By default, all firewall interfaces must be assigned a unique security level value, causing some interfaces to have more security while others have less. Beginning with ASA 7.2(1) and FWSM 2.2(1), you can use the same-security-traffic permit inter-interface to configure a firewall such that its interfaces have the same relative level of security. This command is discussed in the "Same-Security Access" section in this chapter.
|
Outbound Access
Outbound access is defined as connections that are initiated from a higher security interface toward a lower security interface. In other words, users on a more secure network want to connect to something on a less secure network.
Examples of outbound access are connections from the inside (higher security) to the outside (lower security). The firewall can limit the number of simultaneous connections that are used by an address translation, as well as how many embryonic (not fully initialized) connections can be formed.
You must configure two firewall mechanisms to allow outbound connections:
• Address translation—Local (more secure) addresses must be mapped to global (less secure) addresses across two firewall interfaces.
• Outbound access—The firewall only builds outbound connections that meet security policy requirements configured as an access list. (ASA and PIX platforms allow outbound connections to be initiated without an access list, by default. The FWSM requires an access list to permit outbound connections.)
Inbound Access
Inbound access is defined as connections that are initiated from a lower security interface toward a higher security interface. In other words, users on a less secure network want to connect to something on a more secure network.
Examples of inbound access are connections from the outside to the inside.
The firewall can limit the number of simultaneous connections that are used by an address
translation, as well as how many embryonic (not fully initialized) connections can be formed.
You must configure two firewall mechanisms to allow inbound connections:
• Address translation—Local (more secure) addresses must be mapped to global (less secure) addresses across two firewall interfaces.
• Inbound access—The firewall allows only inbound connections that meet security policy requirements configured as an access list. You must apply an access list to the lower security interface to permit only the specific inbound connections that are to be allowed.
Same-Security Access
ASA 7.0 and FWSM 2.2(1) introduced the capability to configure multiple interfaces with the same level of security. In this case, it is not easy to classify the traffic passing between same-security interfaces as inbound or outbound.
Why would you ever want to define two or more interfaces as having the same level of security? Perhaps the interfaces support groups of users or resources that should be allowed to freely exchange information. In other words, the user communities are equally trusted and are under the same administrative control.
 |
| Read more about controlling access through a firewall |
| Download Chapter 6 of Cisco ASA, PIX, and FWSM Firewall Handbook by David Hucaby. |
|
|
|
|
In addition, Cisco firewalls have a finite number of unique security levels that you can assign to interfaces. Security levels 0 to 100 can be used, representing the lowest to the highest security, respectively. On some firewall platforms, you can arbitrarily define logical firewall interfaces. If your environment needs to support more than 100 different firewall interfaces, you will not be able to assign more than 100 unique security levels. Some of the interfaces will have to be configured with identical security levels.
Same-security access has the following characteristics:
• Address translation—You can choose to use or not use address translation between same security interfaces.
• Access—Where many of the firewall inspection features normally limit, filter, or inspect traffic in one direction (inbound or outbound), the same operations can occur in both directions between same-security interfaces.
As well, traffic between same-security interfaces is inherently permitted without any requirement for access lists. To enable traffic to pass between interfaces that have the same security level, use the following global configuration command:
Firewall(config)# same-security-traffic permit inter-interface
Sometimes you might want to allow traffic to enter and exit the same firewall interface. This can be handy for VPN peers that have tunnels built to the firewall, but need traffic to pass back out to other VPN peers or other networks connected to the same interface.
Firewalls do not normally allow traffic to "hairpin" or come back out the same interface. Beginning with ASA 7.2(1) and FWSM 2.3(1), you can use the following global configuration command to permit hairpin traffic:
Firewall(config)# same-security-traffic permit intra-interface
In this case, the interface itself is considered to have the same security level in both directions, hence the intra-interface keyword.
Printed with permission from Cisco Press. Copyright 2007. Cisco ASA, PIX, and FWSM Firewall Handbook by Dan Hucaby. For more information about this title and other similar books, please visit www.ciscopress.com.
