Re: acl needed for high security to low security??

mrSS · ‎01-16-2008

ive experienced this with both asa and pix...does anybody know why acl needed for high security to low security??...even though i have no high security to low security for other connections?

Collin Clark · ‎01-16-2008

ACLs protect your trusted network. Why would you not want ACL's?

cisco24x7 · ‎01-16-2008

you have it backward. By default, hosts behind

high security interface can access hosts behind

low level security interface. You do NOT need

ACL to protect hosts sitting behind high level

security interface from low level security level interface. That is implicitly implied.

You need ACL on the high level security

interface in order to protect/prevent

hosts from getting to hosts on other interfaces. That way, if hosts on the

high level security interface are infected

with viruses, they won't propragate to other

networks on other interfaces.

CCIE Security

mrSS · ‎01-16-2008

yeah, i know i dont need a ACL to protect hosts sitting behind high level security interface from low level security level interface....but, in my case, that is not an issue...a higher security lvl was unable to iniate a sqlnet connection to a lower security level with an acl...

Collin Clark · ‎01-16-2008

Does nothing between the subnets work? Is NAT working or are you routing?

srue · ‎01-16-2008

do you have inspection turned on for sqlnet?

mrSS · ‎01-16-2008

fixup protocol for sqlnet...