cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
434
Views
0
Helpful
5
Replies

ASA security levels issue

Random44F
Level 1
Level 1

Hello,

I have 4 vlan interfaces on differnet security levels.

my asa model is 5505. The issue is when data from higher interfaces flows to lower security interface , I think it goes through but can not come back in

This means the generated traffic is not tracked or in anotherword the stateful funtionality is disabled.

If i add permit any any on outside interface it all works but no other way.

When you have interfaces on different levels, do you have to do anything so that traffic from higher security interface is allowed back in ?

Many thanks

5 Replies 5

Andrew Phirsov
Level 7
Level 7

It depends on the protocol, you're trying to pass through. By default ASA does basic/layer 4 inspection for all tcp and udp sessions, plus application inspection (like for FTP) for some of the most used protocols.

If in your test you were talking about the ICMP traffic, then asa doesn't inspect it by default and you should add this for icmp inspection to work:

policy-map global_policy

class inspection_default

  inspect icmp

thank you !!

how can I see the statefull table or acl created for it ?

also is zonebased firewall a concept for ios and not asa? if so this means the asa does not support context based filtering.

To list all the current connections in the state table you can use command show conn.

Right, ZBPF (ZFW) is a concept applicable to the IOS routers, not the ASA. For the part, related to the "context based filtering" - i'm not sure that I understand what you're talking about). Most of the statefull/application inspection functionality available for ZBPF is available for the ASA, so there's no much difference between the two. Just some different logic and sysntaxis, not functionality. ASA actually supports what they call "context-aware filtering" (ASA-CX) but i don't thing you meant this.

sorry meant to say cbac

many thanks for clarifying

You're welcome. CBAC is the engine, that ZBPF uses for inspection. ZBPF is just a framework for implementing CBAC. ASA uses MPF for implementing all the inspection features.

Review Cisco Networking for a $25 gift card