cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
524
Views
15
Helpful
4
Replies

on asa 5545x, ping from lower security level to higher

M Mohammed
Level 1
Level 1

on asa 5545x i have two dmz interfaces one with security level of 50 and the ohter is 75. i am able to ping from lower level to higher level, by default it should be denied if i am not wrong??

 

Please advise

 

Regards, MM

4 Replies 4

Hi Mohammed,

 

you are correct, by default it shall be denied.

 

Please check whether “icmp is permitted on the interface with lower security level.(I am quite sure u must have already checked, but please recheck)

Probably you might have allowed ip traffic from lower security to higher security, so due to this reason as well, icmp might be allowed.

 

Please do check if there is any global acl configured, instead of interface based acl. 

 

Please mark the answer helpful if it resolves your concern. 

Br

Shivam

Yeah packet-tracer will reveal the truth about which rule is allowing the traffic. Most likely it would be one of the above i listed above.

 

shivam

You can check which rule allows it with the packet-tracer:

packet-tracer input LOWER-SEC-INT icmp IP-ON-LOWER-INT 8 0 IP-ON-HIGHER-INT

johnlloyd_13
Level 9
Level 9

hi,

the ASA will use the interface security level by default if there's no ACL being applied.

check the ACL rules and use the packet-tracer command to verify rule that allows ping between the said security levels.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: