acl needed for high security to low security??

Unanswered Question
Jan 16th, 2008

ive experienced this with both asa and pix...does anybody know why acl needed for high security to low security??...even though i have no high security to low security for other connections?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Wed, 01/16/2008 - 10:45

you have it backward. By default, hosts behind

high security interface can access hosts behind

low level security interface. You do NOT need

ACL to protect hosts sitting behind high level

security interface from low level security level interface. That is implicitly implied.

You need ACL on the high level security

interface in order to protect/prevent

hosts from getting to hosts on other interfaces. That way, if hosts on the

high level security interface are infected

with viruses, they won't propragate to other

networks on other interfaces.

CCIE Security

szajihsaniatan Wed, 01/16/2008 - 10:49

yeah, i know i dont need a ACL to protect hosts sitting behind high level security interface from low level security level interface....but, in my case, that is not an issue...a higher security lvl was unable to iniate a sqlnet connection to a lower security level with an acl...

Collin Clark Wed, 01/16/2008 - 10:53

Does nothing between the subnets work? Is NAT working or are you routing?

srue Wed, 01/16/2008 - 11:03

do you have inspection turned on for sqlnet?

Actions

This Discussion