Cisco Systems ASA 5540 Network Router User Manual


  Open as PDF
of 2086
 
15-2
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 15 Completing Interface Configuration (TransparentMode, 8.4 and Later)
Information About Completing Interface Configuration in Transparent Mode (8.4 and Later)
Bridge Groups in Transparent Mode
If you do not want the overhead of security contexts, or want to maximize your use of security contexts,
you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for
each network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another
bridge group within the ASA, and traffic must exit the ASA before it is routed by an external router back
to another bridge group in the ASA. Although the bridging functions are separate for each bridge group,
many other functions are shared between all bridge groups. For example, all bridge groups share a syslog
server or AAA server configuration. For complete security policy separation, use security contexts with
one bridge group in each context. At least one bridge group is required per context or in single mode.
Each bridge group requires a management IP address. For another method of management, see the
“Management Interface” section.
Note The ASA does not support traffic on secondary networks; only traffic on the same network as the
management IP address is supported.
Security Levels
Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should
assign your most secure network, such as the inside host network, to level 100. While the outside
network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You
can assign interfaces to the same security level. See the “Allowing Same Security Level Communication”
section on page 15-21 for more information.
The level controls the following behavior:
Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
If you enable communication for same security interfaces (see the “Allowing Same Security Level
Communication” section on page 15-21), there is an implicit permit for interfaces to access other
interfaces on the same security level or lower.
Inspection engines—Some application inspection engines are dependent on the security level. For
same security interfaces, inspection engines apply to traffic in either direction.
NetBIOS inspection engine—Applied only for outbound connections.
SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port
exists between a pair of hosts, then only an inbound data connection is permitted through the
ASA.
Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
If you enable communication for same security interfaces, you can filter traffic in either direction.
established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
If you enable communication for same security interfaces, you can configure established commands
for both directions.