Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1049
Views
0
Helpful
5
Replies

ASA Security Level 0 question

Go to solution
jimmycher
Level 1
Level 1

‎09-20-2019 07:39 AM

I get that Level 100 is fully trusted, level 0 is fully untrusted, and how you can go from security zone 100 to zone 0, but not the reverse.  

 

However, my old understanding was that once you manually assigned FW rules, the zones became irrelevant.  That is, the security zone was superseded by the rule set.  I know that was true 5 years ago.

 

Now, I found out that even if I specifically allow traffic on a rule-set, it won't send/receive if the security zone is 0.

 

Can someone give me a brain dump (without quoting the obvious stuff from the text book).

Thanks.

jc

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bhargavdesai
Spotlight
Spotlight
In response to jimmycher

‎09-20-2019 09:02 AM

I would like to remind you that the ASA does stateful inspection of TCP and UDP by default. If you want icmp to work through firewall, you need to enable icmp inspection. You can do that by Fixup protocol icmp Please provide more details how you test and what is the setup and other details so that we can understand better. HTH

View solution in original post

0 Helpful
5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-20-2019 08:19 AM

Not sure if i understand your question correctly.

 

By Defaut Lower level security to Higher level Security not allowed.

 

but you can make a ACL to allow them what you required, if this not working. send us more information, what device / version of ASA /and your ACL ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
jimmycher
Level 1
Level 1
In response to balaji.bandi

‎09-20-2019 08:27 AM

I had interface that was security level 0, BUT had an explicit "permit icmp any any" ruleset.



The PINGs were denied, until I changed the security level to 100, then they worked.



Why doesn't the explicit ruleset take priority?



Thanks


0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to jimmycher

‎09-20-2019 08:59 AM

i would prefer to have look your config and some logs to understand (i can not visualise your issue)

 

obviously once you change to same security it works, but that is not meant to be as FW.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
bhargavdesai
Spotlight
Spotlight
In response to jimmycher

‎09-20-2019 09:02 AM

I would like to remind you that the ASA does stateful inspection of TCP and UDP by default. If you want icmp to work through firewall, you need to enable icmp inspection. You can do that by Fixup protocol icmp Please provide more details how you test and what is the setup and other details so that we can understand better. HTH
0 Helpful

Go to solution
jimmycher
Level 1
Level 1
In response to bhargavdesai

‎09-20-2019 11:11 AM

I did the ICMP inspect. Don't have time to send you config, but the question was not that important.

Please disregard, thanks.


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card