Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1754
Views
0
Helpful
5
Replies

ACL and default traffic flow from higher to lower interface question

Go to solution
Alan Herriman
Level 1
Level 1

‎05-15-2012 10:00 AM - edited ‎03-11-2019 04:07 PM

Hello all,

This may be a fairly simple question to answer, but I did some searching and couldn't find a good answer. By default ASA's will allow traffic from a high security interface to a lower secuirt interface. Such as the inside(100) to outside(0) and dmz(50) or dmz to outside(0). If you apply an ACL incoming on that interface is the higher to lower interface behavior still present? I want to do some egrees filtering on my dmz interface, but still want it to be able to access the outside network. I want to block my inside interface from being able to access my DMZ at all. Any good suggestions on how to do this?

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
lcambron
Level 3
Level 3
In response to Alan Herriman

‎05-15-2012 12:38 PM

Alan,

The ACL replaces the security levels, however the ASA also needs NAT for traffic between interfaces.

Example; source IP needs to be NAT'ed from high to lower security level, so even with ACL the security level still matters for NAT.

This is only until version 8.2

Felipe.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
lcambron
Level 3
Level 3

‎05-15-2012 11:14 AM

Alan,

The ACL bypasses the high to lower rule.

If you want to block access from inside to DMZ, you can change security level on DMZ to 100.

Or if you want to use ACL.

int g0/1

nameif inside

ip addresses 192.168.1.0 255.255.255.0

int g0/2

nameif dmz

ip address 172.16.0.0 255.255.255.0

access-list name deny ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list name permit ip any any

access-group name in interface inside

hope this helps,

Felipe.

0 Helpful

Go to solution
Alan Herriman
Level 1
Level 1
In response to lcambron

‎05-15-2012 12:09 PM

Hey Felipe,

That does help, but I need clafication on one part. Does the Access-list work along side the default behavior to allow traffic from a higher security interface to a lower secuirty interface or does it replaces that behavior?

Thanks,

Alan

0 Helpful

Go to solution
lcambron
Level 3
Level 3
In response to Alan Herriman

‎05-15-2012 12:38 PM

Alan,

The ACL replaces the security levels, however the ASA also needs NAT for traffic between interfaces.

Example; source IP needs to be NAT'ed from high to lower security level, so even with ACL the security level still matters for NAT.

This is only until version 8.2

Felipe.

0 Helpful

Go to solution
Alan Herriman
Level 1
Level 1
In response to lcambron

‎05-15-2012 12:56 PM

Ok thanks for the info!

An example of this would be if my inside interface was 192.168.1.0 and my dmz was 192.168.2.0. I would need a statement like this? static (inside,dmz) 192.168.2.0 192.168.1.0 255.255.255.0

Best Regards,

Alan

0 Helpful

Go to solution
lcambron
Level 3
Level 3
In response to Alan Herriman

‎05-15-2012 02:15 PM

Alan,

You can do:

nat (inside) 1 192.168.1.0 255.255.255.0

global (dmz) 1 interface

or

static (inside,dmz) 192.168.1.0 192.168.1.0

Felipe.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card