topic can you do packet-tracer from in Network Security

Problem with Rules Order ACL

r.vanschendel — Tue, 12 Mar 2019 08:40:46 GMT

I have a ASA 5545 with version 9.4(2)11 in routed mode

And I have problems with the Global ACL.

I started with ACL's on the interfaces and that works fine. I put an ACL's on the interfaces with the lowest security and I use the ASA default that traffic is possible from a higher security interface to a lower security interface.

But I have now build also Global ACL's and the problem is that the traffic from the higher security interface to the lower security interface is not working anymore.

It works only when I create in the Global ACL the rule permit any any , just before the deny any any rule.

When I read the documentation I think the order of rules is

1e Traffic from an higher security interface to lower security interface.

2e Interface ACL

3e Global ACL

What could be the problem ?

The moment there is an ACL in

Karsten Iwen — Mon, 19 Dec 2016 19:00:14 GMT

The moment there is an ACL in place in a particular direction, the default behavior is not used any more. And if you have configured a rule in the global ACL, then traffic entering the ASA on any interface is subject to the ACLs and defaults are ignored.

can you do packet-tracer from

MANI .P — Tue, 20 Dec 2016 10:30:20 GMT

can you do packet-tracer from outside low to high interface host ?

share configuration as well .

Thanks ,

Mani