06-06-2012 08:00 PM - edited 02-21-2020 04:39 AM
Hi,
I am trying to understand how ACLs and security-levels work together on ASA. Here are my Qs:
If no ACL is applied, then by default, traffic from higher security level is allowed to go to lower security level. Then based on the stateful inspection capability of the ASA, return traffic from lower to higher security level is also allowed...Is this correct?
In absence of any ACL, a host sitting behind the lower security level cannot initiate connection to any host behind higher security levels
Suppose an ACL is applied to inside interface (security 100). Now only that traffic will be allowed which matches the permit statements and everything else will be denied because of implicit deny in the ACL. Now if we don't have any ACL on the outside interface (security 0), then the return traffic (for the connections initiated from inside) will be permitted, right? If now we apply ACL to outside interface as well, then is the return traffic allowed based on stateful nature of firewall or the return traffic needs to match outside ACL permit rule for it to come back to the host on the inside? I also want to know when do we need to add established ACE in the ACL?
Thanks,
Kashish
06-07-2012 04:59 AM
Hi
1. If no ACL is applied, then by default, traffic from higher security level is allowed to go to lower security level. Then based on the stateful inspection capability of the ASA, return traffic from lower to higher security level is also allowed...Is this correct?
yes, if there is nat, static or dynamic
2. Suppose an ACL is applied to inside interface (security 100). Now only that traffic will be allowed which matches the permit statements and everything else will be denied because of implicit deny in the ACL. Now if we don't have any ACL on the outside interface (security 0), then the return traffic (for the connections initiated from inside) will be permitted, right?
yes. first paket only is checked to acl. all other transmitted if xlate exist. return traffic (for the connections initiated from inside) will be permitted.
3. If now we apply ACL to outside interface as well, then is the return traffic allowed based on stateful nature of firewall or the return traffic needs to match outside ACL permit rule for it to come back to the host on the inside?
------then the return traffic allowed based on stateful nature ( transmitted if xlate exist )
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide