Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
698
Views
0
Helpful
2
Replies

ASA traffic flow from high security to low security interface

Go to solution
mahesh18
Level 6
Level 6

‎05-04-2014 04:05 PM - edited ‎03-11-2019 09:09 PM

 

Hi Everyone,

 

ASA --  By default traffic is allowed from high to low security interface.

From  ASA i am telneting from inside interface which has security level 100 to other interface sales which has security level 50.

Deny tcp src inside:10.0.0.2/48646 dst sales:10.12.12.2/23 by access-group "inside_access_in" [0xbe9efe96, 0x0]

This only works if i put rule to allow telnet from inside to sales.

 

Need to know why traffic flow does not work without ACL even this is flowing from high to low security level.

Regards

MAhesh

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-04-2014 04:34 PM

Mahesh,

You are correct about the default behavior. BUT there is one very important thing to remember. As soon as you have any access list applied to the high security interface the default behavior is no longer in effect. Instead you will permit only the traffic that is explicitly defined in the access list.

All access lists have an implicit "deny any any" at the end. That's what is blocking your traffic as shown in your log message.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-04-2014 04:34 PM

Mahesh,

You are correct about the default behavior. BUT there is one very important thing to remember. As soon as you have any access list applied to the high security interface the default behavior is no longer in effect. Instead you will permit only the traffic that is explicitly defined in the access list.

All access lists have an implicit "deny any any" at the end. That's what is blocking your traffic as shown in your log message.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎05-04-2014 04:47 PM

 

Hi Marvin,

i was trying to find answer for this and it was puzzling me  and you replied back.Learn something very important from you today.

 

Best regards

MAhesh

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card