Security level on ASA

Answered Question
Jul 27th, 2009

Hi Experts,

If there are multiple sub interfaces and vlans are created with different security levels

Will the traffic flows from high security level interface to low security level interface?.

What is the case if we have the acls in place?

Thanks in advance

Regards,

Madan.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 4 months ago

Depends on what you are trying to do with your acl.

There is an implicit deny at the end of an acl so anything not explicitly permitted or denied in your acl will be dropped.

Jon

Correct Answer by John Blakley about 7 years 4 months ago

Madan,

The ASA always allows traffic from higher to lower by default. If you have ACLs in place, then you'll need to allow the traffic through.

For example, if you have an ACL applied to the inside interface and the inside interface has a security level of 100, then that ACL will need to allow what you want out. If you want users to be able to surf the web, but nothing else, your acl will allow port 80 out, but deny everything else.

HTH,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
John Blakley Mon, 07/27/2009 - 08:15

Madan,

The ASA always allows traffic from higher to lower by default. If you have ACLs in place, then you'll need to allow the traffic through.

For example, if you have an ACL applied to the inside interface and the inside interface has a security level of 100, then that ACL will need to allow what you want out. If you want users to be able to surf the web, but nothing else, your acl will allow port 80 out, but deny everything else.

HTH,

John

kr_madan Mon, 07/27/2009 - 09:00

Thanks for your valuable input.

Do we need Explicit deny statement in acl?

Correct Answer
Jon Marshall Mon, 07/27/2009 - 09:06

Depends on what you are trying to do with your acl.

There is an implicit deny at the end of an acl so anything not explicitly permitted or denied in your acl will be dropped.

Jon

John Blakley Mon, 07/27/2009 - 09:11

In addition to what Jon said, if you use a permit any at the end of your acl and want to deny traffic, you'll need a deny line before the permit any.

deny ip 192.168.1.0 255.255.255.0 any eq 80

permit ip any any

This would deny 192.168.1.0 subnet from getting on the web, but it would allow them to go everywhere else like mail, etc. After the "permit ip any any" line is an "invisible" deny ip any any line. You can't see it but it's there. I normally put a deny ip any any at the end so I can see what I'm actually blocking hit-count wise.

John

Actions

This Discussion