cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

781
Views
0
Helpful
4
Replies
Scott Pickles
Enthusiast

Do Security-Levels Still Apply with An ACL Applied

When an ASA is fresh out of the box, the interfaces do not have any ACLs applied and the firewall enforces the security-levels.  Once an ACL is applied, do the security-levels still apply?  As an example, if I want to permit RDP from an inside interface (security-level 100) to a dmz interface (security-level 50) do I need the ACL on the inside interface in the inbound direction, or will the firewall permit it because it's from a higher security zone to a lower one?  I am NOT inspecting RDP - does the firewall automatically allow the return traffic from dmz to inside, assuming it permitted the flow from high to low?  My understanding is that if I inspect the traffic I don't need the ACL but if I do not inspect the traffic I will need the ACL entry.

4 REPLIES 4
Aditya Ganjoo
Cisco Employee

Hi Scott,

Yes you are correct.

If you are inspecting the traffic ASA is intelligent enough to open ports (pinholes) to allow return traffic.

But if you do not inspect the traffic you have to explicitly allow traffic on the lower security interface using an access-list.

Regards,

Aditya

Please rate helpful and mark correct answers

adganjoo  

So I don't need an ACL rule on the inside interface inbound due to the "high-to-low" rule but still need the ACL on the return because I am not inspecting AND it's "low-to-high"?  The big question is whether or not the security-level rules still apply once an ACL is applied because I've read elsewhere that once you put the ACL on the interface and the default "deny ip any any" goes into effect that you now need ACEs.  Are you saying that the "high-to-low" rule overrides the "deny ip any any" implicit rule at the end of an ACL?

Hi Scott,

Yes indeed the security level rules still apply.

From higher to lower security zone traffic is implicitly allowed.

But if you configure an access-list on the inside interface(or a higher sec level interface) you are manually putting a rule/policy to allow/deny traffic.

So you would need ACE's for allowing/denying traffic on that access-list since you have put in an access-group.

As per the packet flow the traffic would hit the ingress interface and check for any access-list and if it is allowed it will traverse to the egress one.

Regards,

Aditya

Please rate helpful and mark correct answers

Hi Scott,

If you applied an ACL at interface level traffic will not passed on the basis of security levels either your interface is configured with security level 100 (or you can say ASA lost his default behaviour) until you explicitly allow the traffic. You must need to allow the traffic in interface level  ACL.

Sr Network Engineer
Freelancer
Content for Community-Ad