ASA, FTD Firewall - Outside to Inside without ACL

kalyanChakravarthy · ‎05-14-2022

Hi All,

Is there a way where we can allow traffic from outside interface with security-level 0 to Inside or DMZ interface with higher security-level apart from ACLs ? I mean without any acl entry can we allow traffic?

Is there any other way traffic can be permitted from low level to high level without ACL Entry?

MHM Cisco World · ‎05-14-2022

This make DMZ direct connect to out amd this make ASA useless.

You can bypass asa by connect dmz to out but again this make asa useless.

Can i ask why you want that?

kalyanChakravarthy · ‎05-14-2022

I have been asked this question in an interview by interviewer

Rob Ingram · ‎05-14-2022

@kalyanChakravarthy it depends what type of traffic. If the command sysopt connection permit-vpn is configured, then VPN traffic which is terminated on the outside interface bypasses the interface ACLs.

Marius Gunnerud · ‎05-15-2022

If this is regular through the box traffic then the answer is no. You must have an ACL to allow traffic to pass from a higher security level interface to a lower security level interface.

Now if this is a VPN setup then there is a possibility to allow VPN traffic to bypass the interface ACL (this is enabled by default on Cisco firewalls).

But without more context to the question you were asked by the interviewer, what I posted is the correct answer.

--
Please remember to select a correct answer and rate helpful posts