Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
0
Helpful
5
Replies

ASA Zones

communication.boy
Level 1
Level 1

‎08-08-2012 11:41 PM - edited ‎03-11-2019 04:40 PM

I just got to work with a ASA in production having 8.x OS and I saw some strange thing . DMZ is assigned 70 security level while outside is 0 , while doing packet-tracer from DMZ to Outside ip it gives me a drop by ACL message ( tcp / icmp ) while it should pass it as the data is from higher security level to lower . Once I configure an ACL it starts working properly although I feel there is no need for ACL . There are also STATIC Identity NAT statements for IP addresses/servers I am willing to communicate .       

Labels:
0 Helpful
5 Replies 5

Maykol Rojas
Cisco Employee
Cisco Employee

‎08-12-2012 07:21 PM

Hi,

Would you please paste your packet tracer output, also, which 8.x code? We have 8.0, 8.1,8.2 (and the ones where NAT changes) 8.3 and 8.4.

Mike

Mike
0 Helpful

communication.boy
Level 1
Level 1
In response to Maykol Rojas

‎08-12-2012 08:45 PM

Thanks for the reply .

Its 8.2(1)  . Same OS running on another firewall and it seems to function fine .

ASA#  packet-tracer input DMZ_DB  tcp 172.30.17.2 80 172.20.6.1 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.20.6.0      255.255.255.0   Outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:      

input-interface: DMZ_DB

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

communication.boy
Level 1
Level 1
In response to communication.boy

‎08-12-2012 08:56 PM

I have just noticed that there is no service-policy global_policy global in the config . There is a default policy-map configured but not applied , zones work using interface security level and insection policy and since there is no inspection policy applied this can be the reason why traffic is not moving from higher security level to lower .

Am i on the right track ?

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to communication.boy

‎08-12-2012 09:07 PM

Mmmmm,

You are right on how the Security level work, however, inspections are not required (it is recommended) but not required. Can you turn on logging on debugging and see when you try to make a connection?

Better yet, sh run access-group.

To configured logging

logging buffered debugging

logging on

Show log (once you do the connection)

Mike

Mike
0 Helpful

communication.boy
Level 1
Level 1
In response to Maykol Rojas

‎08-16-2012 11:10 PM

Thanks Mike, I will try that out . Its a production device so I cant do much of debuggings on that , I do have a planned downtime coming in after a few weeks where I will test this thing

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card