Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1644
Views
0
Helpful
4
Replies

Do Security-Levels Still Apply with An ACL Applied

Scott Pickles
Level 4
Level 4

‎07-25-2017 06:32 AM - edited ‎03-12-2019 02:44 AM

When an ASA is fresh out of the box, the interfaces do not have any ACLs applied and the firewall enforces the security-levels.  Once an ACL is applied, do the security-levels still apply?  As an example, if I want to permit RDP from an inside interface (security-level 100) to a dmz interface (security-level 50) do I need the ACL on the inside interface in the inbound direction, or will the firewall permit it because it's from a higher security zone to a lower one?  I am NOT inspecting RDP - does the firewall automatically allow the return traffic from dmz to inside, assuming it permitted the flow from high to low?  My understanding is that if I inspect the traffic I don't need the ACL but if I do not inspect the traffic I will need the ACL entry.

Labels:
0 Helpful
4 Replies 4

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-25-2017 06:40 AM

Hi Scott,

Yes you are correct.

If you are inspecting the traffic ASA is intelligent enough to open ports (pinholes) to allow return traffic.

But if you do not inspect the traffic you have to explicitly allow traffic on the lower security interface using an access-list.

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

Scott Pickles
Level 4
Level 4
In response to Aditya Ganjoo

‎07-25-2017 06:45 AM

adganjoo  

So I don't need an ACL rule on the inside interface inbound due to the "high-to-low" rule but still need the ACL on the return because I am not inspecting AND it's "low-to-high"?  The big question is whether or not the security-level rules still apply once an ACL is applied because I've read elsewhere that once you put the ACL on the interface and the default "deny ip any any" goes into effect that you now need ACEs.  Are you saying that the "high-to-low" rule overrides the "deny ip any any" implicit rule at the end of an ACL?

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Scott Pickles

‎07-25-2017 07:37 AM

Hi Scott,

Yes indeed the security level rules still apply.

From higher to lower security zone traffic is implicitly allowed.

But if you configure an access-list on the inside interface(or a higher sec level interface) you are manually putting a rule/policy to allow/deny traffic.

So you would need ACE's for allowing/denying traffic on that access-list since you have put in an access-group.

As per the packet flow the traffic would hit the ingress interface and check for any access-list and if it is allowed it will traverse to the egress one.

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

Spooster IT Services
Level 7
Level 7
In response to Scott Pickles

‎07-25-2017 12:28 PM

Hi Scott,

If you applied an ACL at interface level traffic will not passed on the basis of security levels either your interface is configured with security level 100 (or you can say ASA lost his default behaviour) until you explicitly allow the traffic. You must need to allow the traffic in interface level  ACL.

Spooster IT Services Team
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card