Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
435
Views
0
Helpful
5
Replies

ASA security levels issue

Random44F
Level 1
Level 1

‎06-26-2013 05:30 AM - edited ‎03-11-2019 07:03 PM

Hello,

I have 4 vlan interfaces on differnet security levels.

my asa model is 5505. The issue is when data from higher interfaces flows to lower security interface , I think it goes through but can not come back in

This means the generated traffic is not tracked or in anotherword the stateful funtionality is disabled.

If i add permit any any on outside interface it all works but no other way.

When you have interfaces on different levels, do you have to do anything so that traffic from higher security interface is allowed back in ?

Many thanks

Labels:
0 Helpful
5 Replies 5

Andrew Phirsov
Level 7
Level 7

‎06-26-2013 05:58 AM

It depends on the protocol, you're trying to pass through. By default ASA does basic/layer 4 inspection for all tcp and udp sessions, plus application inspection (like for FTP) for some of the most used protocols.

If in your test you were talking about the ICMP traffic, then asa doesn't inspect it by default and you should add this for icmp inspection to work:

policy-map global_policy

class inspection_default

  inspect icmp

0 Helpful

Random44F
Level 1
Level 1
In response to Andrew Phirsov

‎06-26-2013 06:17 AM

thank you !!

how can I see the statefull table or acl created for it ?

also is zonebased firewall a concept for ios and not asa? if so this means the asa does not support context based filtering.

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to Random44F

‎06-26-2013 06:32 AM

To list all the current connections in the state table you can use command show conn.

Right, ZBPF (ZFW) is a concept applicable to the IOS routers, not the ASA. For the part, related to the "context based filtering" - i'm not sure that I understand what you're talking about). Most of the statefull/application inspection functionality available for ZBPF is available for the ASA, so there's no much difference between the two. Just some different logic and sysntaxis, not functionality. ASA actually supports what they call "context-aware filtering" (ASA-CX) but i don't thing you meant this.

0 Helpful

Random44F
Level 1
Level 1
In response to Andrew Phirsov

‎06-26-2013 06:38 AM

sorry meant to say cbac

many thanks for clarifying

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to Random44F

‎06-26-2013 06:58 AM

You're welcome. CBAC is the engine, that ZBPF uses for inspection. ZBPF is just a framework for implementing CBAC. ASA uses MPF for implementing all the inspection features.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card