Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

general question in asa access rules

Unanswered Question
Mar 13th, 2014
User Badges:

hi ,

this is a general question in understanding rhe asa rules in the asa


assume  i have 3 interfaces each has its own security level

security level 100-------eth0-----------ASA----eth1---------------security level 0




                                                         security level 80



the  question is ,

what is the hiearchery for the asa when it work !

as an exmaple


assume i ahve the default of the asa rules and i only added :


 a rule in the asa for eth2 that has the security level 80 and said to asa to allow any thinging going to the subnets at eth0 and eth1


wt is the hieracrhy for the asa to check ?

will it check the rules that i put in the asa then check the security levels that the packet have 1st ?

"as we know the security level is lower cant talk to security level that is higer "


also , when it check the globl rule in the acces rule ?

before or after  ?


also , is there implicit rules hidden in the asa not shown to me at the access rules ?

something is not clear to me


i just need to know thehiearchy  for the asa when it begin to check the packet and with it it start to check and start.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Thu, 03/13/2014 - 10:01
User Badges:
  • Purple, 4500 points or more


It will check the interface and see if there's an acl. As you said, you cannot pass from lower to higher security level without an explicit acl on the interface, but higher can talk to lower security levels without an acl applied to the interface. There is an implicit deny at the end of the acl meaning that if there's not a match on an entry in the acl, then it will be denied.



Ahmed M Alzaeem Thu, 03/13/2014 - 11:26
User Badges:

hi john ,

thanks alot for reply


but plz execuse me

i will ask agian


which will  be lookkd at  first for inspection?

the level of interface ?

or the acl ?


also im asking about the implicit acl under each interface


is it implicit deny only from lower to higer level ?


or it absolutlelty implicit deny for evry thing ??





thanska lot for replty and i wish to got it cleared




This Discussion