Can someone advise when the Security-Level of an interface is checked during the packet flow? Is this done at the start, e.g part of step 3 in the link provided?
Taken from the page.. I know traffic can't move from a low to high without a specific ACL, but at what point does the ASA check the security level of the incoming interface and destination interface of the packet before deciding if it's allowed or not based on that alone.
Here are the individual steps in detail:
Packet is reached at the ingress interface.
Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.
Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.
If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged
I can't say for certain, but based on packet tracers I remember I believe it would be dropped during the ACL check and it would say dropped by "implicit rule". So my guess would be Step 4. If you have access to a test system I would recommend testing it with a packet tracer, it might shed some light on it for you.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...