Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ACLs and Security Levels on ASA running 7.2

Does the implicit deny any at the end of an access list (applied either outbound or inbound) take precendce over the standard behaviour of Security levels ? i.e. allow higher to lower

Also how does enabling the same security level option effect this ?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACLs and Security Levels on ASA running 7.2

Hi,

The default behaviour is to allow traffic from higher to lower if no ACL (but having NAT solved). If you add an ACL, the traffic ORIGINATING (entering, but not part of a return traffic) in that interface will be hadled based on the ACL, the interface security level will not matter anymore.

The return traffic is hadled by the ASA engine.

Same security level will allow traffic between interfaces that have the same security level. By default this will not be permitted even with ACLs permitting any any.

It is good business practice not to have multiple interfaces with the same security number. If you have more DMZs, just put successive number as security levels: 50,51,52. Then create ACLs as required.

Please rate if this helped.

Regards,

Daniel

2 REPLIES

Re: ACLs and Security Levels on ASA running 7.2

Hi,

The default behaviour is to allow traffic from higher to lower if no ACL (but having NAT solved). If you add an ACL, the traffic ORIGINATING (entering, but not part of a return traffic) in that interface will be hadled based on the ACL, the interface security level will not matter anymore.

The return traffic is hadled by the ASA engine.

Same security level will allow traffic between interfaces that have the same security level. By default this will not be permitted even with ACLs permitting any any.

It is good business practice not to have multiple interfaces with the same security number. If you have more DMZs, just put successive number as security levels: 50,51,52. Then create ACLs as required.

Please rate if this helped.

Regards,

Daniel

Community Member

Re: ACLs and Security Levels on ASA running 7.2

Thanks for the infop

154
Views
0
Helpful
2
Replies
CreatePlease to create content