03-30-2010 05:28 AM - edited 03-11-2019 10:27 AM
I am having one of those moments where my brain is imploding....
I have an ASA running 8.x.
Inside = 100
DMZ = 30
Outside = 0
Am I correct in saying....
All traffic from a higher security zone to a lower security zone is allowed by default. So traffic from an inside machine to the DMZ or Outside will be forwarded with return traffic allowed back in.
All traffic from the DMZ to the Outside will be by default will be forwarded with return traffic allowed back in.
Here is my issue, devices in my DMZ cannot reach the Outside (lower security interface) unless I add an ACE to allow it to any.
Is this because the minute you drop an ACE for a device in the ACL of that interface, it no longer has the 'permit ip any- any less secure' ACE applied?
Solved! Go to Solution.
03-30-2010 05:43 AM
All traffic from a higher security zone to a lower security zone is allowed by default. So traffic from an inside machine to the DMZ or Outside will be forwarded with return traffic allowed back in.
All traffic from the DMZ to the Outside will be by default will be forwarded with return traffic allowed back in.
Correct. More specifically it is allowed by default unless you have applied an acl to that interface.
Here is my issue, devices in my DMZ cannot reach the Outside (lower security interface) unless I add an ACE to allow it to any.
Is this because the minute you drop an ACE for a device in the ACL of that interface, it no longer has the 'permit ip any- any less secure' ACE applied?
Exactly. As soon as an acl is applied to an interface then all traffic is checked against that acl regardless of security level.
Jon
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.
03-30-2010 05:43 AM
All traffic from a higher security zone to a lower security zone is allowed by default. So traffic from an inside machine to the DMZ or Outside will be forwarded with return traffic allowed back in.
All traffic from the DMZ to the Outside will be by default will be forwarded with return traffic allowed back in.
Correct. More specifically it is allowed by default unless you have applied an acl to that interface.
Here is my issue, devices in my DMZ cannot reach the Outside (lower security interface) unless I add an ACE to allow it to any.
Is this because the minute you drop an ACE for a device in the ACL of that interface, it no longer has the 'permit ip any- any less secure' ACE applied?
Exactly. As soon as an acl is applied to an interface then all traffic is checked against that acl regardless of security level.
Jon
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.
03-31-2010 10:40 AM
Thanks Jon. As usual, you are right.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: