difference between security level and ACL how ASA treats the traffic

Kudo · ‎04-04-2023

I understand that setting of ACL is not necessary when traffics go through high to low on the ASA, and communication is possible.

However, when communicating from INSIDE to DMZ, I want to restrict accessing the server in DMZ, so I configure deny ACL and allow ACL with permit ip any any, but as ASA operation, Is there a difference between the movement security level and the movement when permitting all with permit ip any any in ACL?

MHM Cisco World · ‎04-04-2023

ASA without any ACL (direction IN ) config
ASA permit traffic from High security level to low security level
ASA deny traffic from low level to high level

ASA with ACL (direction IN) config
ASA permit traffic only if ACL apply to ingress interface permit this traffic Other deny whatever it security level.

Kudo · ‎04-11-2023

Thank you for your reply

・ASA without any ACL (direction IN ) config

As my understanding, when the traffics go through high to low, ACL does not need to be applied on low security level interface because of the inspection.

・ASA with ACL (direction IN) config

In this case, do I need to apply the config that is related to default inspection when the traffic going back to security level low to high?

policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp