topic ASA security levels issue in Network Security

ASA security levels issue

Random44F — Tue, 12 Mar 2019 02:03:18 GMT

Hello,

I have 4 vlan interfaces on differnet security levels.

my asa model is 5505. The issue is when data from higher interfaces flows to lower security interface , I think it goes through but can not come back in

This means the generated traffic is not tracked or in anotherword the stateful funtionality is disabled.

If i add permit any any on outside interface it all works but no other way.

When you have interfaces on different levels, do you have to do anything so that traffic from higher security interface is allowed back in ?

Many thanks

Re: ASA security levels issue

Andrew Phirsov — Wed, 26 Jun 2013 12:58:58 GMT

It depends on the protocol, you're trying to pass through. By default ASA does basic/layer 4 inspection for all tcp and udp sessions, plus application inspection (like for FTP) for some of the most used protocols.

If in your test you were talking about the ICMP traffic, then asa doesn't inspect it by default and you should add this for icmp inspection to work:

policy-map global_policy

class inspection_default

inspect icmp

ASA security levels issue

Random44F — Wed, 26 Jun 2013 13:17:53 GMT

thank you !!

how can I see the statefull table or acl created for it ?

also is zonebased firewall a concept for ios and not asa? if so this means the asa does not support context based filtering.

ASA security levels issue

Andrew Phirsov — Wed, 26 Jun 2013 13:32:39 GMT

To list all the current connections in the state table you can use command show conn.

Right, ZBPF (ZFW) is a concept applicable to the IOS routers, not the ASA. For the part, related to the "context based filtering" - i'm not sure that I understand what you're talking about). Most of the statefull/application inspection functionality available for ZBPF is available for the ASA, so there's no much difference between the two. Just some different logic and sysntaxis, not functionality. ASA actually supports what they call "context-aware filtering" (ASA-CX) but i don't thing you meant this.

ASA security levels issue

Random44F — Wed, 26 Jun 2013 13:38:06 GMT

sorry meant to say cbac

many thanks for clarifying

ASA security levels issue

Andrew Phirsov — Wed, 26 Jun 2013 13:58:47 GMT

You're welcome. CBAC is the engine, that ZBPF uses for inspection. ZBPF is just a framework for implementing CBAC. ASA uses MPF for implementing all the inspection features.