05-31-2013 02:27 PM - edited 03-11-2019 06:52 PM
Hi Everyone.
If we had this topology
Server is connected to Switch 1 and switch 1 connects switch 2 layer connection and switch 2 has connection to transparent ASA.
Now this transparent ASA has connection to switch 3 and Switch 3 has connection to another ASA2 then the internet.
For above traffic flow do we need ACL at both transparent ASA and ASA2?
Thanks
Mahesh
Solved! Go to Solution.
05-31-2013 02:43 PM
Hello Mahesh,
Same concept will apply on transparent mode for l3 traffic ( if traffic from lower to higher needs to be allowed then create the ACL) (From higher to lower no need)
Regards
05-31-2013 02:49 PM
After this traffic passes through another ASA thats in routed mode.
Do i need to apply ACL there also?
If the traffic goes on that one from lower to higher: Yes , as well.
Note: The only L3 traffic while being on L2 mode that I am aware of that needs an ACL from higher to lower is for multicast traffic
Regards
06-10-2013 02:51 PM
Yes, it can access any port unless you deny it via an ACL,
06-10-2013 02:59 PM
Hello Mahesh,
No, unless there was an ACL already,
Was there an ACL already ( on the highest security level interface)?
06-11-2013 01:49 PM
Hello Mahesh,
Exactly,as I said on one of my previous posts:
No, unless there was an ACL already,
Was there an ACL already ( on the highest security level interface)?
Regards,
Remember to rate all of the helpful posts
05-31-2013 02:43 PM
Hello Mahesh,
Same concept will apply on transparent mode for l3 traffic ( if traffic from lower to higher needs to be allowed then create the ACL) (From higher to lower no need)
Regards
05-31-2013 02:46 PM
Hi Julio,
As transparent is layer 2 firewall.Traffic there is coming from lower to higher security.
i will apply ACL there.
After this traffic passes through another ASA thats in routed mode.
Do i need to apply ACL there also?
Thanks
Mahesh
05-31-2013 02:49 PM
After this traffic passes through another ASA thats in routed mode.
Do i need to apply ACL there also?
If the traffic goes on that one from lower to higher: Yes , as well.
Note: The only L3 traffic while being on L2 mode that I am aware of that needs an ACL from higher to lower is for multicast traffic
Regards
05-31-2013 02:55 PM
Hi Julio,
So i need two ACL one on transparent and other on second ASA right?
thanks
mahesh
05-31-2013 03:58 PM
Hello Mahesh,
You got it
Regards
06-10-2013 02:28 PM
Hi Julio,
I just did some change on Network where Traffic was passing from transparent Fw and Routed FW.
I put ACL on transparent FW to allow traffic on port 80.
But Routed Fw was denying traffic on port 80.
But from Routed Mode traffic was entering on high security interface and leaving on Lower security interface.
So ACL at Routed mode was denying the traffic going to destination on port 80 even though flow was from high to low.
when we say that traffic can flow from high to low security interface does it also mean that we can access any ports also?
Thanks
Mahesh
06-10-2013 02:51 PM
Yes, it can access any port unless you deny it via an ACL,
06-10-2013 02:57 PM
Hi Julio,
To make this work i had to config ACL on Routed ASA to allow traffic on port 80.
Even though flow was from high to low security.
Is this default behaviour?So in short i had to config 2 ACL each on transparent and Routed ASA to make this work.
Thanks
Mahesh
06-10-2013 02:59 PM
Hello Mahesh,
No, unless there was an ACL already,
Was there an ACL already ( on the highest security level interface)?
06-10-2013 06:14 PM
Hi Julio,
On interface from high to low security there was no ACL.
I had to put ACL to allow traffic from higher to lower on port 80.
Thanks
Mahesh
06-10-2013 08:45 PM
Hello Mahesh,
That's not required,
You are missing something,
Can you share the configuration without the ACL (make sure it does not work before posting it here)
Regards
06-11-2013 01:35 PM
Hi Julio,
I dig deeper and found that there was ACL on Routed ASA which was denying the traffic.
Seems earlier as it was denying the traffic thats why i need to put the second ACL on routed ASA also.
Now it makes sense why i need 2 ACL each on transparent and routed ASA to make this work.
Hope you agree with this.
Regards
MAhesh
06-11-2013 01:49 PM
Hello Mahesh,
Exactly,as I said on one of my previous posts:
No, unless there was an ACL already,
Was there an ACL already ( on the highest security level interface)?
Regards,
Remember to rate all of the helpful posts
06-11-2013 01:54 PM
Hi Julio,
Yes there was an ACL on higher to lower denying IP traffic.
Seems last time i did not understand what you said.
But asking you more questions helped me to understand better now.
Best regards
Mahesh
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide