11-14-2013 01:35 AM - edited 03-11-2019 08:04 PM
Dear All,
I would like to know regarding the firewall rules on ASA 5500 v 8.6 that if NAT is not configured (not required) and firewall is routing the traffic among different interfaces without doing NAT so firewall rules permiting traffic from high security level to lower security level would be required as well ?
Thanks
Solved! Go to Solution.
11-14-2013 02:09 AM
Hi,
If you have not configured any interface ACLs with the "access-group" command to the interfaces then the "security-level" value is the only deciding factor in whether traffic is allowed or not.
Naturally you if you configure a NAT configuration wrong then the traffic might drop because of the improper NAT configuration but it has nothing to do with the access rules.
- Jouni
11-14-2013 01:40 AM
Hi,
If you dont have any interface ACLS configured with the "access-list" and "access-group" command then traffic should by default go through from higher "security-level" interface to the one with lower "security-level".
Generally its a good idea to configure an interface ACL from the start since using "security-level" values only doesnt really give you much flexibility in the long run.
- Jouni
11-14-2013 01:57 AM
Hi Jouni,
Thanks for your response. So it doesn't matter if NAT is configured or not on the ASA (v 8.6) right ? Implicit permit rule will be applicable for traffic flow from high security to low security level ? without any dependency on NAT configuration?
Regards,
11-14-2013 02:09 AM
Hi,
If you have not configured any interface ACLs with the "access-group" command to the interfaces then the "security-level" value is the only deciding factor in whether traffic is allowed or not.
Naturally you if you configure a NAT configuration wrong then the traffic might drop because of the improper NAT configuration but it has nothing to do with the access rules.
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: