The Adaptive Security Algorithm permits connections from one firewall network interface to another by using a security level mechanism. Each interface must be assigned with a security level ranging between 0 (lowest) to 100 (highest). By default, the Security Appliance assigns the internal network (the inside network) security level 100, whereas the external network (outside network) connected to the Internet is assigned with level 0. Other networks, such as DMZ, can be assigned any number in between.
By default, the Security Appliance allows traffic to flow freely from an internal network (higher security level 100) to an external network (lower security level 0).
For traffic to flow between the interfaces through the Security Appliance, basic parameters need to be configured. These include the interface name, security level, an IP address, and the dynamic or static routing and enabling of the interface as physical interfaces are shut down by default.
Example 6-3 shows how to configure physical interface parameters in single mode.
hostname(config)# interface Ethernet1 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# no shutdown |
Example 6-4 shows how to configure interface parameters in multiple contexts mode for the system configuration. The example creates a subinterface Ethernet1.100, by putting it in VLAN 100 allocating the Ethernet1.100 subinterface to contextA.
hostname(config)# interface Ethernet1 hostname(config-if)# speed 100 hostname(config-if)# duplex full hostname(config-if)# no shutdown hostname(config-if)# interface Ethernet1.100 hostname(config-subif)# vlan 100 hostname(config-subif)# no shutdown hostname(config-subif)# context contextA hostname(config-ctx)# ... hostname(config-ctx)# allocate-interface Ethernet1.100 |
By default, the Adaptive Security Algorithm does not permit interfaces on the same security level to communicate with each other. To explicitly permit this, use the following command from the global configuration mode to enable traffic flow between same security level interfaces without access lists.
hostname(config)# same-security-traffic permit inter-interface