https://community.cisco.com/t5/network-security/acl-and-default-traffic-flow-from-higher-to-lower-interface/m-p/1940807#M436846 <HTML><HEAD></HEAD><BODY><P>Alan,</P><P></P><P>The ACL replaces the security levels, however the ASA also needs NAT for traffic between interfaces.</P><P></P><P>Example; source IP needs to be NAT'ed from high to lower security level, so even with ACL the security level still matters for NAT.</P><P></P><P>This is only until version 8.2</P><P></P><P>Felipe.</P></BODY></HTML> Tue, 15 May 2012 19:38:41 GMT lcambron 2012-05-15T19:38:41Z https://community.cisco.com/t5/network-security/acl-and-default-traffic-flow-from-higher-to-lower-interface/m-p/1940804#M436842 <P>Hello all,</P><P></P><P>This may be a fairly simple question to answer, but I did some searching and couldn't find a good answer. By default ASA's will allow traffic from a high security interface to a lower secuirt interface. Such as the inside(100) to outside(0) and dmz(50) or dmz to outside(0). If you apply an ACL incoming on that interface is the higher to lower interface behavior still present? I want to do some egrees filtering on my dmz interface, but still want it to be able to access the outside network. I want to block my inside interface from being able to access my DMZ at all. Any good suggestions on how to do this? </P><P></P><P>Thanks in advance! </P> Mon, 11 Mar 2019 23:07:31 GMT https://community.cisco.com/t5/network-security/acl-and-default-traffic-flow-from-higher-to-lower-interface/m-p/1940804#M436842 Alan Herriman 2019-03-11T23:07:31Z https://community.cisco.com/t5/network-security/acl-and-default-traffic-flow-from-higher-to-lower-interface/m-p/1940805#M436844 <HTML><HEAD></HEAD><BODY><P>Alan,</P><P></P><P>The ACL bypasses the high to lower rule.</P><P></P><P>If you want to block access from inside to DMZ, you can change security level on DMZ to 100.</P><P>Or if you want to use ACL.</P><P></P><P>int g0/1</P><P>nameif inside</P><P>ip addresses 192.168.1.0 255.255.255.0</P><P></P><P>int g0/2</P><P>nameif dmz</P><P>ip address 172.16.0.0 255.255.255.0</P><P></P><P>access-list name deny ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.255.0</P><P>access-list name permit ip any any</P><P></P><P>access-group name in interface inside</P><P></P><P>hope this helps,</P><P></P><P>Felipe.</P></BODY></HTML> Tue, 15 May 2012 18:14:58 GMT https://community.cisco.com/t5/network-security/acl-and-default-traffic-flow-from-higher-to-lower-interface/m-p/1940805#M436844 lcambron 2012-05-15T18:14:58Z https://community.cisco.com/t5/network-security/acl-and-default-traffic-flow-from-higher-to-lower-interface/m-p/1940806#M436845 <HTML><HEAD></HEAD><BODY><P>Hey Felipe,</P><P></P><P>That does help, but I need clafication on one part. Does the Access-list work along side the default behavior to allow traffic from a higher security interface to a lower secuirty interface or does it replaces that behavior? </P><P></P><P>Thanks,</P><P>Alan </P></BODY></HTML> Tue, 15 May 2012 19:09:09 GMT https://community.cisco.com/t5/network-security/acl-and-default-traffic-flow-from-higher-to-lower-interface/m-p/1940806#M436845 Alan Herriman 2012-05-15T19:09:09Z https://community.cisco.com/t5/network-security/acl-and-default-traffic-flow-from-higher-to-lower-interface/m-p/1940807#M436846 <HTML><HEAD></HEAD><BODY><P>Alan,</P><P></P><P>The ACL replaces the security levels, however the ASA also needs NAT for traffic between interfaces.</P><P></P><P>Example; source IP needs to be NAT'ed from high to lower security level, so even with ACL the security level still matters for NAT.</P><P></P><P>This is only until version 8.2</P><P></P><P>Felipe.</P></BODY></HTML> Tue, 15 May 2012 19:38:41 GMT https://community.cisco.com/t5/network-security/acl-and-default-traffic-flow-from-higher-to-lower-interface/m-p/1940807#M436846 lcambron 2012-05-15T19:38:41Z https://community.cisco.com/t5/network-security/acl-and-default-traffic-flow-from-higher-to-lower-interface/m-p/1940808#M436847 <HTML><HEAD></HEAD><BODY><P>Ok thanks for the info! </P><P></P><P></P><P>An example of this would be if my inside interface was 192.168.1.0 and my dmz was 192.168.2.0. I would need a statement like this? static (inside,dmz) 192.168.2.0 192.168.1.0 255.255.255.0 </P><P></P><P>Best Regards,</P><P>Alan </P></BODY></HTML> Tue, 15 May 2012 19:56:39 GMT https://community.cisco.com/t5/network-security/acl-and-default-traffic-flow-from-higher-to-lower-interface/m-p/1940808#M436847 Alan Herriman 2012-05-15T19:56:39Z https://community.cisco.com/t5/network-security/acl-and-default-traffic-flow-from-higher-to-lower-interface/m-p/1940809#M436848 <HTML><HEAD></HEAD><BODY><P>Alan,</P><P></P><P>You can do:</P><P></P><P>nat (inside) 1 192.168.1.0 255.255.255.0</P><P>global (dmz) 1 interface</P><P></P><P>or</P><P></P><P>static (inside,dmz) 192.168.1.0 192.168.1.0</P><P></P><P>Felipe.</P></BODY></HTML> Tue, 15 May 2012 21:15:37 GMT https://community.cisco.com/t5/network-security/acl-and-default-traffic-flow-from-higher-to-lower-interface/m-p/1940809#M436848 lcambron 2012-05-15T21:15:37Z