https://community.cisco.com/t5/network-security/asa-interface-security-level/m-p/1797360#M533757 <P>Hi all,</P><P></P><P>I'm building a new ASA configuration with a dmz interaface and an inside interface.</P><P>dmz security-level 20</P><P>inside security-level 100</P><P></P><P>ASA ver 8.2(1)</P><P></P><P>I found that I can pass traffic from hosts off the dmz to hosts on the inside without having to define a static or identy-nat rule.</P><P>I've always thought that in order to get traffic to flow from a lower-level security interface to a high-level security interface you have to explicitly allow it.</P><P>Is that no longer the case?</P> Mon, 11 Mar 2019 21:10:30 GMT aeryilmaz 2019-03-11T21:10:30Z https://community.cisco.com/t5/network-security/asa-interface-security-level/m-p/1797360#M533757 <P>Hi all,</P><P></P><P>I'm building a new ASA configuration with a dmz interaface and an inside interface.</P><P>dmz security-level 20</P><P>inside security-level 100</P><P></P><P>ASA ver 8.2(1)</P><P></P><P>I found that I can pass traffic from hosts off the dmz to hosts on the inside without having to define a static or identy-nat rule.</P><P>I've always thought that in order to get traffic to flow from a lower-level security interface to a high-level security interface you have to explicitly allow it.</P><P>Is that no longer the case?</P> Mon, 11 Mar 2019 21:10:30 GMT https://community.cisco.com/t5/network-security/asa-interface-security-level/m-p/1797360#M533757 aeryilmaz 2019-03-11T21:10:30Z https://community.cisco.com/t5/network-security/asa-interface-security-level/m-p/1797361#M533759 <HTML><HEAD></HEAD><BODY><P>You need an acl to allow the traffic from the dmz to the inside hosts.</P><P></P><P>As for NAT you can disable NAT using "no nat-control" which then means you do need static NAT rules as you would have done on older versions.</P><P></P><P>Jon</P></BODY></HTML> Thu, 11 Aug 2011 22:19:03 GMT https://community.cisco.com/t5/network-security/asa-interface-security-level/m-p/1797361#M533759 Jon Marshall 2011-08-11T22:19:03Z https://community.cisco.com/t5/network-security/asa-interface-security-level/m-p/1797362#M533762 <HTML><HEAD></HEAD><BODY><P>Thanks for the info, Jon. </P><P></P><P>I did some futher testing and found that with nat-control Enabled, I need a static NAT to permit traffic to flow from "inside" to "dmz." With it disabled, traffic will flow from higher to lower without an interface ACL or NAT. </P><P></P><P>Also with nat-control disabled, I still need an ACL to allow traffic from dmz to inside but as you mention no NAT rules required.</P><P></P><P>Thanks again.</P><P>I was baffeled by the change in logic with security-levels.</P></BODY></HTML> Fri, 12 Aug 2011 14:21:03 GMT https://community.cisco.com/t5/network-security/asa-interface-security-level/m-p/1797362#M533762 aeryilmaz 2011-08-12T14:21:03Z https://community.cisco.com/t5/network-security/asa-interface-security-level/m-p/1797363#M533765 <HTML><HEAD></HEAD><BODY><P>No problem, glad to have helped and thanks for the rating.</P><P></P><P>I remember the first time i came across this issue, it confused me as well. I was so used to having to setup static NATs from lower to higher i actually thought it was bug in the firewall at first <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Jon</P></BODY></HTML> Fri, 12 Aug 2011 14:27:00 GMT https://community.cisco.com/t5/network-security/asa-interface-security-level/m-p/1797363#M533765 Jon Marshall 2011-08-12T14:27:00Z