Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

general question in asa access rules

hi ,

this is a general question in understanding rhe asa rules in the asa


assume  i have 3 interfaces each has its own security level

security level 100-------eth0-----------ASA----eth1---------------security level 0




                                                         security level 80



the  question is ,

what is the hiearchery for the asa when it work !

as an exmaple


assume i ahve the default of the asa rules and i only added :


 a rule in the asa for eth2 that has the security level 80 and said to asa to allow any thinging going to the subnets at eth0 and eth1


wt is the hieracrhy for the asa to check ?

will it check the rules that i put in the asa then check the security levels that the packet have 1st ?

"as we know the security level is lower cant talk to security level that is higer "


also , when it check the globl rule in the acces rule ?

before or after  ?


also , is there implicit rules hidden in the asa not shown to me at the access rules ?

something is not clear to me


i just need to know thehiearchy  for the asa when it begin to check the packet and with it it start to check and start.





Hi,It will check the


It will check the interface and see if there's an acl. As you said, you cannot pass from lower to higher security level without an explicit acl on the interface, but higher can talk to lower security levels without an acl applied to the interface. There is an implicit deny at the end of the acl meaning that if there's not a match on an entry in the acl, then it will be denied.



HTH, John *** Please rate all useful posts ***
Community Member

hi john ,thanks alot for

hi john ,

thanks alot for reply


but plz execuse me

i will ask agian


which will  be lookkd at  first for inspection?

the level of interface ?

or the acl ?


also im asking about the implicit acl under each interface


is it implicit deny only from lower to higer level ?


or it absolutlelty implicit deny for evry thing ??





thanska lot for replty and i wish to got it cleared



CreatePlease to create content