cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1049
Views
0
Helpful
5
Replies

ASA Security Level 0 question

jimmycher
Level 1
Level 1

I get that Level 100 is fully trusted, level 0 is fully untrusted, and how you can go from security zone 100 to zone 0, but not the reverse.  

 

However, my old understanding was that once you manually assigned FW rules, the zones became irrelevant.  That is, the security zone was superseded by the rule set.  I know that was true 5 years ago.

 

Now, I found out that even if I specifically allow traffic on a rule-set, it won't send/receive if the security zone is 0.

 

Can someone give me a brain dump (without quoting the obvious stuff from the text book).

Thanks.

jc

1 Accepted Solution

Accepted Solutions

I would like to remind you that the ASA does stateful inspection of TCP and UDP by default. If you want icmp to work through firewall, you need to enable icmp inspection. You can do that by Fixup protocol icmp Please provide more details how you test and what is the setup and other details so that we can understand better. HTH

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

Not sure if i understand your question correctly.

 

By Defaut Lower level security to Higher level Security not allowed.

 

but you can make a ACL to allow them what you required, if this not working. send us more information, what device / version of ASA /and your ACL ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I had interface that was security level 0, BUT had an explicit "permit icmp any any" ruleset.



The PINGs were denied, until I changed the security level to 100, then they worked.



Why doesn't the explicit ruleset take priority?



Thanks


i would prefer to have look your config and some logs to understand (i can not visualise your issue)

 

obviously once you change to same security it works, but that is not meant to be as FW.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I would like to remind you that the ASA does stateful inspection of TCP and UDP by default. If you want icmp to work through firewall, you need to enable icmp inspection. You can do that by Fixup protocol icmp Please provide more details how you test and what is the setup and other details so that we can understand better. HTH

I did the ICMP inspect. Don't have time to send you config, but the question was not that important.

Please disregard, thanks.


Review Cisco Networking for a $25 gift card