01-04-2018 07:41 AM - edited 02-21-2020 07:04 AM
on asa 5545x i have two dmz interfaces one with security level of 50 and the ohter is 75. i am able to ping from lower level to higher level, by default it should be denied if i am not wrong??
Please advise
Regards, MM
01-04-2018 08:38 AM
Hi Mohammed,
you are correct, by default it shall be denied.
Please check whether “icmp is permitted on the interface with lower security level.(I am quite sure u must have already checked, but please recheck)
Probably you might have allowed ip traffic from lower security to higher security, so due to this reason as well, icmp might be allowed.
Please do check if there is any global acl configured, instead of interface based acl.
Please mark the answer helpful if it resolves your concern.
Br
Shivam
01-04-2018 11:49 AM
Yeah packet-tracer will reveal the truth about which rule is allowing the traffic. Most likely it would be one of the above i listed above.
shivam
01-04-2018 10:09 AM
You can check which rule allows it with the packet-tracer:
packet-tracer input LOWER-SEC-INT icmp IP-ON-LOWER-INT 8 0 IP-ON-HIGHER-INT
01-04-2018 11:48 PM
hi,
the ASA will use the interface security level by default if there's no ACL being applied.
check the ACL rules and use the packet-tracer command to verify rule that allows ping between the said security levels.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: