05-04-2014 04:05 PM - edited 03-11-2019 09:09 PM
Hi Everyone,
ASA -- By default traffic is allowed from high to low security interface.
From ASA i am telneting from inside interface which has security level 100 to other interface sales which has security level 50.
Deny tcp src inside:10.0.0.2/48646 dst sales:10.12.12.2/23 by access-group "inside_access_in" [0xbe9efe96, 0x0]
This only works if i put rule to allow telnet from inside to sales.
Need to know why traffic flow does not work without ACL even this is flowing from high to low security level.
Regards
MAhesh
Solved! Go to Solution.
05-04-2014 04:34 PM
Mahesh,
You are correct about the default behavior. BUT there is one very important thing to remember. As soon as you have any access list applied to the high security interface the default behavior is no longer in effect. Instead you will permit only the traffic that is explicitly defined in the access list.
All access lists have an implicit "deny any any" at the end. That's what is blocking your traffic as shown in your log message.
05-04-2014 04:34 PM
Mahesh,
You are correct about the default behavior. BUT there is one very important thing to remember. As soon as you have any access list applied to the high security interface the default behavior is no longer in effect. Instead you will permit only the traffic that is explicitly defined in the access list.
All access lists have an implicit "deny any any" at the end. That's what is blocking your traffic as shown in your log message.
05-04-2014 04:47 PM
Hi Marvin,
i was trying to find answer for this and it was puzzling me and you replied back.Learn something very important from you today.
Best regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide