cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

961
Views
0
Helpful
1
Replies
Highlighted

ASA And interface security level problem

Hi all!

I've an ASA 5520 having one interface (GUEST) with security level 5.

Now, if i add a rule to permit all traffic to outside network (like permit any any), i see that they can also reach the INSIDE interface (security level 100).

I have to deny this traffic explicitly?

The ASA doesen't stop this traffic (from a lower security interface fo a higher one) automatically?

PS: nat control is active!

Thanks in advance!1

Everyone's tags (4)
1 REPLY 1
Highlighted
Cisco Employee

Re: ASA And interface security level problem

ASA denies traffic by default from low security to high security level if you don't have static NAT between the 2 interfaces and if you have no ACL on the low security level interface to allow the access.

However, if you have both, then it will allow access. The requirement to access high security subnet from low security subnet is to have static NAT statement as well as ACL to permit the traffic applied to the low security level interface.

If you already have both configured, and you would like to deny access to INSIDE subnet, then you have to configure ACL to deny those traffic, and make sure that it is above the "permit ip any any" rule.