×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

general question in asa access rules

Unanswered Question
Mar 13th, 2014
User Badges:

hi ,

this is a general question in understanding rhe asa rules in the asa

 

assume  i have 3 interfaces each has its own security level

security level 100-------eth0-----------ASA----eth1---------------security level 0

                                                                 |

                                                                 |

                                                               eth2

                                                         security level 80

 

 

the  question is ,

what is the hiearchery for the asa when it work !

as an exmaple

 

assume i ahve the default of the asa rules and i only added :

 

 a rule in the asa for eth2 that has the security level 80 and said to asa to allow any thinging going to the subnets at eth0 and eth1

 

wt is the hieracrhy for the asa to check ?

will it check the rules that i put in the asa then check the security levels that the packet have 1st ?

"as we know the security level is lower cant talk to security level that is higer "

 

also , when it check the globl rule in the acces rule ?

before or after  ?

 

also , is there implicit rules hidden in the asa not shown to me at the access rules ?

something is not clear to me

 

i just need to know thehiearchy  for the asa when it begin to check the packet and with it it start to check and start.

 

 

regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Thu, 03/13/2014 - 10:01
User Badges:
  • Purple, 4500 points or more

Hi,

It will check the interface and see if there's an acl. As you said, you cannot pass from lower to higher security level without an explicit acl on the interface, but higher can talk to lower security levels without an acl applied to the interface. There is an implicit deny at the end of the acl meaning that if there's not a match on an entry in the acl, then it will be denied.

HTH,

John

Ahmed M Alzaeem Thu, 03/13/2014 - 11:26
User Badges:

hi john ,

thanks alot for reply

 

but plz execuse me

i will ask agian

 

which will  be lookkd at  first for inspection?

the level of interface ?

or the acl ?

 

also im asking about the implicit acl under each interface

 

is it implicit deny only from lower to higer level ?

 

or it absolutlelty implicit deny for evry thing ??

 

 

agian

 

thanska lot for replty and i wish to got it cleared

 

regards

Actions

This Discussion