Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
998
Views
4
Helpful
3
Replies

ASA 8.2 security-level default behavior

Go to solution
mbrahman@gmail.com
Level 1
Level 1

‎11-17-2012 12:33 PM - edited ‎03-11-2019 05:24 PM

Hi,

I'm trying to implement some best practices for ASA running on Software Release 8.2 and had a question about the default security-level behavior.

Let's say I have 3 interfaces...

-inside (security-level 100)

-dmz (security-level 50)

-outside (security-level 0)

I have an ACL on the inside interface allowing http access to anywhere. Because of the ACL, the implicit higher to lower security level access is nullified. Correct?

I do NOT have any ACL on the dmz interface applied. So, would the servers in the dmz be allowed outbound access to the Internet due to the default higher to lower security level behavior?

Looking forward to your responses. Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎11-17-2012 01:19 PM

I have an ACL on the inside interface allowing http access to anywhere. Because of the ACL, the implicit higher to lower security level access is nullified. Correct?

That is correct, that is the whole purpose of using an ACL on the inside interface,restrict traffic.

I do NOT have any ACL on the dmz interface applied. So, would the servers in the dmz be allowed outbound access to the Internet due to the default higher to lower security level behavior?

     Yes, they will be able to access any other interface with a lower security level

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎11-17-2012 01:19 PM

I have an ACL on the inside interface allowing http access to anywhere. Because of the ACL, the implicit higher to lower security level access is nullified. Correct?

That is correct, that is the whole purpose of using an ACL on the inside interface,restrict traffic.

I do NOT have any ACL on the dmz interface applied. So, would the servers in the dmz be allowed outbound access to the Internet due to the default higher to lower security level behavior?

     Yes, they will be able to access any other interface with a lower security level

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-17-2012 04:45 PM

In addition to Julio's correct answer, your DMZ clients would need a NAT rule to access the Internet (assuming they don't already have public IPs).

Go to solution
mbrahman@gmail.com
Level 1
Level 1

‎11-18-2012 06:28 AM

Thanks guys. Saved me a lotta labbing and testing!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card