08-11-2011 02:12 PM - edited 03-11-2019 02:10 PM
Hi all,
I'm building a new ASA configuration with a dmz interaface and an inside interface.
dmz security-level 20
inside security-level 100
ASA ver 8.2(1)
I found that I can pass traffic from hosts off the dmz to hosts on the inside without having to define a static or identy-nat rule.
I've always thought that in order to get traffic to flow from a lower-level security interface to a high-level security interface you have to explicitly allow it.
Is that no longer the case?
Solved! Go to Solution.
08-11-2011 03:19 PM
You need an acl to allow the traffic from the dmz to the inside hosts.
As for NAT you can disable NAT using "no nat-control" which then means you do need static NAT rules as you would have done on older versions.
Jon
08-11-2011 03:19 PM
You need an acl to allow the traffic from the dmz to the inside hosts.
As for NAT you can disable NAT using "no nat-control" which then means you do need static NAT rules as you would have done on older versions.
Jon
08-12-2011 07:21 AM
Thanks for the info, Jon.
I did some futher testing and found that with nat-control Enabled, I need a static NAT to permit traffic to flow from "inside" to "dmz." With it disabled, traffic will flow from higher to lower without an interface ACL or NAT.
Also with nat-control disabled, I still need an ACL to allow traffic from dmz to inside but as you mention no NAT rules required.
Thanks again.
I was baffeled by the change in logic with security-levels.
08-12-2011 07:27 AM
No problem, glad to have helped and thanks for the rating.
I remember the first time i came across this issue, it confused me as well. I was so used to having to setup static NATs from lower to higher i actually thought it was bug in the firewall at first
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide