cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


180
Views
0
Helpful
5
Replies
Beginner

ASA Security Level 0 question

I get that Level 100 is fully trusted, level 0 is fully untrusted, and how you can go from security zone 100 to zone 0, but not the reverse.  

 

However, my old understanding was that once you manually assigned FW rules, the zones became irrelevant.  That is, the security zone was superseded by the rule set.  I know that was true 5 years ago.

 

Now, I found out that even if I specifically allow traffic on a rule-set, it won't send/receive if the security zone is 0.

 

Can someone give me a brain dump (without quoting the obvious stuff from the text book).

Thanks.

jc

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: ASA Security Level 0 question

I would like to remind you that the ASA does stateful inspection of TCP and UDP by default. If you want icmp to work through firewall, you need to enable icmp inspection. You can do that by Fixup protocol icmp Please provide more details how you test and what is the setup and other details so that we can understand better. HTH
5 REPLIES 5
VIP Advisor

Re: ASA Security Level 0 question

Not sure if i understand your question correctly.

 

By Defaut Lower level security to Higher level Security not allowed.

 

but you can make a ACL to allow them what you required, if this not working. send us more information, what device / version of ASA /and your ACL ?

BB
*** Rate All Helpful Responses ***
Beginner

Re: ASA Security Level 0 question

I had interface that was security level 0, BUT had an explicit "permit icmp any any" ruleset.



The PINGs were denied, until I changed the security level to 100, then they worked.



Why doesn't the explicit ruleset take priority?



Thanks


VIP Advisor

Re: ASA Security Level 0 question

i would prefer to have look your config and some logs to understand (i can not visualise your issue)

 

obviously once you change to same security it works, but that is not meant to be as FW.

BB
*** Rate All Helpful Responses ***
Beginner

Re: ASA Security Level 0 question

I would like to remind you that the ASA does stateful inspection of TCP and UDP by default. If you want icmp to work through firewall, you need to enable icmp inspection. You can do that by Fixup protocol icmp Please provide more details how you test and what is the setup and other details so that we can understand better. HTH
Beginner

Re: ASA Security Level 0 question

I did the ICMP inspect. Don't have time to send you config, but the question was not that important.

Please disregard, thanks.