cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12698
Views
3
Helpful
1
Replies

ACL and security levels on ASA

Kashish_Patel
Level 2
Level 2

Hi,

I am trying to understand how ACLs and security-levels work together on ASA. Here are my Qs:

If no ACL is applied, then by default, traffic from higher security level is allowed to go to lower security level. Then based on the stateful inspection capability of the ASA, return traffic from lower to higher security level is also allowed...Is this correct?

In absence of any ACL, a host sitting behind the lower security level cannot initiate connection to any host behind higher security levels

Suppose an ACL is applied to inside interface (security 100). Now only that traffic will be allowed which matches the permit statements and everything else will be denied because of implicit deny in the ACL. Now if we don't have any ACL on the outside interface (security 0), then the return traffic (for the connections initiated from inside) will be permitted, right? If now we apply ACL to outside interface as well, then is the return traffic allowed based on stateful nature of firewall or the return traffic needs to match outside ACL permit rule for it to come back to the host on the inside? I also want to know when do we need to add established ACE in the ACL?

Thanks,

Kashish

1 Reply 1

Tagir Temirgaliyev
Spotlight
Spotlight

Hi

1. If no ACL is applied, then by default, traffic from higher security level is allowed to go to lower security level. Then based on the stateful inspection capability of the ASA, return traffic from lower to higher security level is also allowed...Is this correct?

yes, if there is nat, static or dynamic

2. Suppose an ACL is applied to inside interface (security 100). Now only that traffic will be allowed which matches the permit statements and everything else will be denied because of implicit deny in the ACL. Now if we don't have any ACL on the outside interface (security 0), then the return traffic (for the connections initiated from inside) will be permitted, right?

yes. first paket only is checked to acl. all other transmitted if xlate exist. return traffic (for the connections initiated from inside) will be permitted.

3.  If now we apply ACL to outside interface as well, then is the return traffic allowed based on stateful nature of firewall or the return traffic needs to match outside ACL permit rule for it to come back to the host on the inside?

------then the return traffic allowed based on stateful nature ( transmitted if xlate exist )

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: