Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

general question in asa access rules

hi ,

this is a general question in understanding rhe asa rules in the asa

 

assume  i have 3 interfaces each has its own security level

security level 100-------eth0-----------ASA----eth1---------------security level 0

                                                                 |

                                                                 |

                                                               eth2

                                                         security level 80

 

 

the  question is ,

what is the hiearchery for the asa when it work !

as an exmaple

 

assume i ahve the default of the asa rules and i only added :

 

 a rule in the asa for eth2 that has the security level 80 and said to asa to allow any thinging going to the subnets at eth0 and eth1

 

wt is the hieracrhy for the asa to check ?

will it check the rules that i put in the asa then check the security levels that the packet have 1st ?

"as we know the security level is lower cant talk to security level that is higer "

 

also , when it check the globl rule in the acces rule ?

before or after  ?

 

also , is there implicit rules hidden in the asa not shown to me at the access rules ?

something is not clear to me

 

i just need to know thehiearchy  for the asa when it begin to check the packet and with it it start to check and start.

 

 

regards

2 REPLIES

Hi,It will check the

Hi,

It will check the interface and see if there's an acl. As you said, you cannot pass from lower to higher security level without an explicit acl on the interface, but higher can talk to lower security levels without an acl applied to the interface. There is an implicit deny at the end of the acl meaning that if there's not a match on an entry in the acl, then it will be denied.

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

hi john ,thanks alot for

hi john ,

thanks alot for reply

 

but plz execuse me

i will ask agian

 

which will  be lookkd at  first for inspection?

the level of interface ?

or the acl ?

 

also im asking about the implicit acl under each interface

 

is it implicit deny only from lower to higer level ?

 

or it absolutlelty implicit deny for evry thing ??

 

 

agian

 

thanska lot for replty and i wish to got it cleared

 

regards

64
Views
0
Helpful
2
Replies
CreatePlease to create content