11-17-2012 12:33 PM - edited 03-11-2019 05:24 PM
Hi,
I'm trying to implement some best practices for ASA running on Software Release 8.2 and had a question about the default security-level behavior.
Let's say I have 3 interfaces...
-inside (security-level 100)
-dmz (security-level 50)
-outside (security-level 0)
I have an ACL on the inside interface allowing http access to anywhere. Because of the ACL, the implicit higher to lower security level access is nullified. Correct?
I do NOT have any ACL on the dmz interface applied. So, would the servers in the dmz be allowed outbound access to the Internet due to the default higher to lower security level behavior?
Looking forward to your responses. Thanks!
Solved! Go to Solution.
11-17-2012 01:19 PM
I have an ACL on the inside interface allowing http access to anywhere. Because of the ACL, the implicit higher to lower security level access is nullified. Correct?
That is correct, that is the whole purpose of using an ACL on the inside interface,restrict traffic.
I do NOT have any ACL on the dmz interface applied. So, would the servers in the dmz be allowed outbound access to the Internet due to the default higher to lower security level behavior?
Yes, they will be able to access any other interface with a lower security level
Regards
11-17-2012 01:19 PM
I have an ACL on the inside interface allowing http access to anywhere. Because of the ACL, the implicit higher to lower security level access is nullified. Correct?
That is correct, that is the whole purpose of using an ACL on the inside interface,restrict traffic.
I do NOT have any ACL on the dmz interface applied. So, would the servers in the dmz be allowed outbound access to the Internet due to the default higher to lower security level behavior?
Yes, they will be able to access any other interface with a lower security level
Regards
11-17-2012 04:45 PM
In addition to Julio's correct answer, your DMZ clients would need a NAT rule to access the Internet (assuming they don't already have public IPs).
11-18-2012 06:28 AM
Thanks guys. Saved me a lotta labbing and testing!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide