Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1130
Views
0
Helpful
1
Replies

ASA And interface security level problem

stefanomadrucciani
Level 1
Level 1

‎12-16-2010 03:04 AM - edited ‎03-11-2019 12:23 PM

Hi all!

I've an ASA 5520 having one interface (GUEST) with security level 5.

Now, if i add a rule to permit all traffic to outside network (like permit any any), i see that they can also reach the INSIDE interface (security level 100).

I have to deny this traffic explicitly?

The ASA doesen't stop this traffic (from a lower security interface fo a higher one) automatically?

PS: nat control is active!

Thanks in advance!1

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎12-16-2010 03:10 AM

ASA denies traffic by default from low security to high security level if you don't have static NAT between the 2 interfaces and if you have no ACL on the low security level interface to allow the access.

However, if you have both, then it will allow access. The requirement to access high security subnet from low security subnet is to have static NAT statement as well as ACL to permit the traffic applied to the low security level interface.

If you already have both configured, and you would like to deny access to INSIDE subnet, then you have to configure ACL to deny those traffic, and make sure that it is above the "permit ip any any" rule.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card