Solved: ASA Interface Security Level

aeryilmaz · ‎08-11-2011

Hi all,

I'm building a new ASA configuration with a dmz interaface and an inside interface.

dmz security-level 20

inside security-level 100

ASA ver 8.2(1)

I found that I can pass traffic from hosts off the dmz to hosts on the inside without having to define a static or identy-nat rule.

I've always thought that in order to get traffic to flow from a lower-level security interface to a high-level security interface you have to explicitly allow it.

Is that no longer the case?

Jon Marshall · ‎08-11-2011

You need an acl to allow the traffic from the dmz to the inside hosts.

As for NAT you can disable NAT using "no nat-control" which then means you do need static NAT rules as you would have done on older versions.

Jon

View solution in original post

Jon Marshall · ‎08-11-2011

You need an acl to allow the traffic from the dmz to the inside hosts.

As for NAT you can disable NAT using "no nat-control" which then means you do need static NAT rules as you would have done on older versions.

Jon

aeryilmaz · ‎08-12-2011

Thanks for the info, Jon.

I did some futher testing and found that with nat-control Enabled, I need a static NAT to permit traffic to flow from "inside" to "dmz." With it disabled, traffic will flow from higher to lower without an interface ACL or NAT.

Also with nat-control disabled, I still need an ACL to allow traffic from dmz to inside but as you mention no NAT rules required.

Thanks again.

I was baffeled by the change in logic with security-levels.

Jon Marshall · ‎08-12-2011

No problem, glad to have helped and thanks for the rating.

I remember the first time i came across this issue, it confused me as well. I was so used to having to setup static NATs from lower to higher i actually thought it was bug in the firewall at first

Jon