topic Hi Marvin,i was trying to in Network Security

ASA traffic flow from high security to low security interface

mahesh18 — Tue, 12 Mar 2019 04:09:26 GMT

Hi Everyone,

ASA -- By default traffic is allowed from high to low security interface.

From ASA i am telneting from inside interface which has security level 100 to other interface sales which has security level 50.

Deny tcp src inside:10.0.0.2/48646 dst sales:10.12.12.2/23 by access-group "inside_access_in" [0xbe9efe96, 0x0]

This only works if i put rule to allow telnet from inside to sales.

Need to know why traffic flow does not work without ACL even this is flowing from high to low security level.

Regards

MAhesh

Mahesh,You are correct about

Marvin Rhoads — Sun, 04 May 2014 23:34:31 GMT

Mahesh,

You are correct about the default behavior. BUT there is one very important thing to remember. As soon as you have any access list applied to the high security interface the default behavior is no longer in effect. Instead you will permit only the traffic that is explicitly defined in the access list.

All access lists have an implicit "deny any any" at the end. That's what is blocking your traffic as shown in your log message.

Hi Marvin,i was trying to

mahesh18 — Sun, 04 May 2014 23:47:44 GMT

Hi Marvin,

i was trying to find answer for this and it was puzzling me and you replied back.Learn something very important from you today.

Best regards

MAhesh