https://community.cisco.com/t5/network-security/security-level-on-asa/m-p/1304982#M858362 <P>Hi Experts,</P><P></P><P>If there are multiple sub interfaces and vlans are created with different security levels</P><P></P><P>Will the traffic flows from high security level interface to low security level interface?.</P><P></P><P>What is the case if we have the acls in place?</P><P></P><P>Thanks in advance</P><P></P><P>Regards,</P><P>Madan.</P><P></P><P></P> Mon, 11 Mar 2019 15:59:28 GMT kr_madan 2019-03-11T15:59:28Z https://community.cisco.com/t5/network-security/security-level-on-asa/m-p/1304982#M858362 <P>Hi Experts,</P><P></P><P>If there are multiple sub interfaces and vlans are created with different security levels</P><P></P><P>Will the traffic flows from high security level interface to low security level interface?.</P><P></P><P>What is the case if we have the acls in place?</P><P></P><P>Thanks in advance</P><P></P><P>Regards,</P><P>Madan.</P><P></P><P></P> Mon, 11 Mar 2019 15:59:28 GMT https://community.cisco.com/t5/network-security/security-level-on-asa/m-p/1304982#M858362 kr_madan 2019-03-11T15:59:28Z https://community.cisco.com/t5/network-security/security-level-on-asa/m-p/1304983#M858364 <HTML><HEAD></HEAD><BODY><P>Madan,</P><P></P><P>The ASA always allows traffic from higher to lower by default. If you have ACLs in place, then you'll need to allow the traffic through. </P><P></P><P>For example, if you have an ACL applied to the inside interface and the inside interface has a security level of 100, then that ACL will need to allow what you want out. If you want users to be able to surf the web, but nothing else, your acl will allow port 80 out, but deny everything else.</P><P></P><P>HTH,</P><P>John</P></BODY></HTML> Mon, 27 Jul 2009 15:15:39 GMT https://community.cisco.com/t5/network-security/security-level-on-asa/m-p/1304983#M858364 John Blakley 2009-07-27T15:15:39Z https://community.cisco.com/t5/network-security/security-level-on-asa/m-p/1304984#M858366 <HTML><HEAD></HEAD><BODY><P>Thanks for your valuable input.</P><P></P><P>Do we need Explicit deny statement in acl? </P><P></P><P></P><P></P><P></P><P></P></BODY></HTML> Mon, 27 Jul 2009 16:00:24 GMT https://community.cisco.com/t5/network-security/security-level-on-asa/m-p/1304984#M858366 kr_madan 2009-07-27T16:00:24Z https://community.cisco.com/t5/network-security/security-level-on-asa/m-p/1304985#M858367 <HTML><HEAD></HEAD><BODY><P>Depends on what you are trying to do with your acl.</P><P></P><P>There is an implicit deny at the end of an acl so anything not explicitly permitted or denied in your acl will be dropped.</P><P></P><P>Jon</P></BODY></HTML> Mon, 27 Jul 2009 16:06:14 GMT https://community.cisco.com/t5/network-security/security-level-on-asa/m-p/1304985#M858367 Jon Marshall 2009-07-27T16:06:14Z https://community.cisco.com/t5/network-security/security-level-on-asa/m-p/1304986#M858372 <HTML><HEAD></HEAD><BODY><P>In addition to what Jon said, if you use a permit any at the end of your acl and want to deny traffic, you'll need a deny line before the permit any.</P><P></P><P>deny ip 192.168.1.0 255.255.255.0 any eq 80</P><P>permit ip any any</P><P></P><P>This would deny 192.168.1.0 subnet from getting on the web, but it would allow them to go everywhere else like mail, etc. After the "permit ip any any" line is an "invisible" deny ip any any line. You can't see it but it's there. I normally put a deny ip any any at the end so I can see what I'm actually blocking hit-count wise.</P><P></P><P>John</P></BODY></HTML> Mon, 27 Jul 2009 16:11:29 GMT https://community.cisco.com/t5/network-security/security-level-on-asa/m-p/1304986#M858372 John Blakley 2009-07-27T16:11:29Z