https://community.cisco.com/t5/network-security/asa-zones/m-p/2012748#M401052 <HTML><HEAD></HEAD><BODY><P>Thanks Mike, I will try that out . Its a production device so I cant do much of debuggings on that , I do have a planned downtime coming in after a few weeks where I will test this thing </P></BODY></HTML> Fri, 17 Aug 2012 06:10:56 GMT communication.boy 2012-08-17T06:10:56Z https://community.cisco.com/t5/network-security/asa-zones/m-p/2012743#M401044 <P>I just got to work with a ASA in production having 8.x OS and I saw some strange thing . DMZ is assigned 70 security level while outside is 0 , while doing packet-tracer from DMZ to Outside ip it gives me a drop by ACL message ( tcp / icmp ) while it should pass it as the data is from higher security level to lower . Once I configure an ACL it starts working properly although I feel there is no need for ACL . There are also STATIC Identity NAT statements for IP addresses/servers I am willing to communicate .&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 23:40:05 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/2012743#M401044 communication.boy 2019-03-11T23:40:05Z https://community.cisco.com/t5/network-security/asa-zones/m-p/2012744#M401045 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Would you please paste your packet tracer output, also, which 8.x code? We have 8.0, 8.1,8.2 (and the ones where NAT changes) 8.3 and 8.4. </P><P></P><P></P><P>Mike</P></BODY></HTML> Mon, 13 Aug 2012 02:21:23 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/2012744#M401045 Maykol Rojas 2012-08-13T02:21:23Z https://community.cisco.com/t5/network-security/asa-zones/m-p/2012745#M401046 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply . </P><P>Its 8.2(1)&nbsp; . Same OS running on another firewall and it seems to function fine . </P><P></P><P></P><P>ASA#&nbsp; packet-tracer input DMZ_DB&nbsp; tcp 172.30.17.2 80 172.20.6.1 80</P><P></P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P></P><P>Phase: 2</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 172.20.6.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; Outside</P><P></P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P></P><P></P><P>Result:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>input-interface: DMZ_DB</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: Outside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P></BODY></HTML> Mon, 13 Aug 2012 03:45:45 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/2012745#M401046 communication.boy 2012-08-13T03:45:45Z https://community.cisco.com/t5/network-security/asa-zones/m-p/2012746#M401047 <HTML><HEAD></HEAD><BODY><P>I have just noticed that there is no service-policy global_policy global in the config . There is a default policy-map configured but not applied , zones work using interface security level and insection policy and since there is no inspection policy applied this can be the reason why traffic is not moving from higher security level to lower . </P><P></P><P></P><P></P><P></P><P>Am i on the right track ?</P></BODY></HTML> Mon, 13 Aug 2012 03:56:10 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/2012746#M401047 communication.boy 2012-08-13T03:56:10Z https://community.cisco.com/t5/network-security/asa-zones/m-p/2012747#M401050 <HTML><HEAD></HEAD><BODY><P>Mmmmm, </P><P></P><P>You are right on how the Security level work, however, inspections are not required (it is recommended) but not required. Can you turn on logging on debugging and see when you try to make a connection? </P><P></P><P>Better yet, sh run access-group.</P><P></P><P>To configured logging </P><P>logging buffered debugging </P><P>logging on </P><P>Show log (once you do the connection)</P><P></P><P></P><P>Mike</P></BODY></HTML> Mon, 13 Aug 2012 04:07:43 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/2012747#M401050 Maykol Rojas 2012-08-13T04:07:43Z https://community.cisco.com/t5/network-security/asa-zones/m-p/2012748#M401052 <HTML><HEAD></HEAD><BODY><P>Thanks Mike, I will try that out . Its a production device so I cant do much of debuggings on that , I do have a planned downtime coming in after a few weeks where I will test this thing </P></BODY></HTML> Fri, 17 Aug 2012 06:10:56 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/2012748#M401052 communication.boy 2012-08-17T06:10:56Z