https://community.cisco.com/t5/network-security/asa-security-level-0-question/m-p/3927677#M31065 I had interface that was security level 0, BUT had an explicit "permit icmp any any" ruleset.<BR /><BR /><BR /><BR />The PINGs were denied, until I changed the security level to 100, then they worked.<BR /><BR /><BR /><BR />Why doesn't the explicit ruleset take priority?<BR /><BR /><BR /><BR />Thanks<BR /><BR /><BR /> Fri, 20 Sep 2019 15:27:53 GMT jimmycher 2019-09-20T15:27:53Z https://community.cisco.com/t5/network-security/asa-security-level-0-question/m-p/3927638#M31063 <P>I get that Level 100 is fully trusted, level 0 is fully untrusted, and how you can go from security zone 100 to zone 0, but not the reverse.&nbsp;&nbsp;</P><P>&nbsp;</P><P>However, my old understanding was that once you manually assigned FW rules, the zones became irrelevant.&nbsp; That is, the security zone was superseded by the rule set.&nbsp; I know that was true 5 years ago.</P><P>&nbsp;</P><P>Now, I found out that even if I specifically allow traffic on a rule-set, it won't send/receive if the security zone is 0.</P><P>&nbsp;</P><P>Can someone give me a brain dump (without quoting the obvious stuff from the text book).</P><P>Thanks.</P><P>jc</P> Fri, 20 Sep 2019 14:39:00 GMT https://community.cisco.com/t5/network-security/asa-security-level-0-question/m-p/3927638#M31063 jimmycher 2019-09-20T14:39:00Z https://community.cisco.com/t5/network-security/asa-security-level-0-question/m-p/3927667#M31064 <P>Not sure if i understand your question correctly.</P> <P>&nbsp;</P> <P>By Defaut Lower level security to Higher level Security not allowed.</P> <P>&nbsp;</P> <P>but you can make a ACL to allow them what you required, if this not working. send us more information, what device / version of ASA /and your ACL ?</P> Fri, 20 Sep 2019 15:19:49 GMT https://community.cisco.com/t5/network-security/asa-security-level-0-question/m-p/3927667#M31064 balaji.bandi 2019-09-20T15:19:49Z https://community.cisco.com/t5/network-security/asa-security-level-0-question/m-p/3927677#M31065 I had interface that was security level 0, BUT had an explicit "permit icmp any any" ruleset.<BR /><BR /><BR /><BR />The PINGs were denied, until I changed the security level to 100, then they worked.<BR /><BR /><BR /><BR />Why doesn't the explicit ruleset take priority?<BR /><BR /><BR /><BR />Thanks<BR /><BR /><BR /> Fri, 20 Sep 2019 15:27:53 GMT https://community.cisco.com/t5/network-security/asa-security-level-0-question/m-p/3927677#M31065 jimmycher 2019-09-20T15:27:53Z https://community.cisco.com/t5/network-security/asa-security-level-0-question/m-p/3927697#M31067 <P>i would prefer to have look your config and some logs to understand (i can not visualise your issue)</P> <P>&nbsp;</P> <P>obviously once you change to same security it works, but that is not meant to be as FW.</P> Fri, 20 Sep 2019 15:59:48 GMT https://community.cisco.com/t5/network-security/asa-security-level-0-question/m-p/3927697#M31067 balaji.bandi 2019-09-20T15:59:48Z https://community.cisco.com/t5/network-security/asa-security-level-0-question/m-p/3927698#M31069 I would like to remind you that the ASA does stateful inspection of TCP and UDP by default. If you want icmp to work through firewall, you need to enable icmp inspection. You can do that by Fixup protocol icmp Please provide more details how you test and what is the setup and other details so that we can understand better. HTH Fri, 20 Sep 2019 16:02:32 GMT https://community.cisco.com/t5/network-security/asa-security-level-0-question/m-p/3927698#M31069 bhargavdesai 2019-09-20T16:02:32Z https://community.cisco.com/t5/network-security/asa-security-level-0-question/m-p/3927768#M31071 I did the ICMP inspect. Don't have time to send you config, but the question was not that important.<BR /><BR />Please disregard, thanks.<BR /><BR /><BR /> Fri, 20 Sep 2019 18:11:53 GMT https://community.cisco.com/t5/network-security/asa-security-level-0-question/m-p/3927768#M31071 jimmycher 2019-09-20T18:11:53Z