Showing results for 
Search instead for 
Did you mean: 

Don't ACLs override Security level?

NInja Black
Level 1
Level 1


 Being a call center we use softphones to make calls running on SIP.

Though the ACLs are in place, keeping the outside interface to security level '0' seems to be hindering softphone application. The softphone does not load properly.

I cant figure out if it has to do with JAVA or the  ASA. Currently it is on security level 100 and no issues.

Could someone please explain me what might be going on?

If ACLs are permitting IP traffic how can security level at 0 make a difference as my understanding id ACLs override security level.

The sip traffic is being inspected too. Do I need to create a separate policy map for SIP?



4 Replies 4

Level 3
Level 3



The ACLs do override the security level.

What version are you running, it could be a NAT issue.

Have you tested with packet tracer?

Also, did you allow all ports on the ACL, there could be child connections on different ports, what do you see on the logs?





ASA 5515, Software Version 8.6(1)2.

No NAT configured on the Firewall. FW is behind the router (Cisco ISR 3925). The router is doing NAT.

I will test changing Sec lev to '0' tonight and monitor syslog output. I am not much into packet tracer.

None of the ports are being blocked by the ACLs.

FW has permit ip commands ('ip' should include sip's both tcp/udp connections right). The embryonic connections shouldn't be blocked. By stateful inspection property these connections should be included in the return traffic, or do I need to allow them on the outside incoming ACL?

As I have included 'inspect sip' in the global policy all related connections should be allowed.




I didn't get a chance to test as I was busy with other work. Will get back on it soon.

By the way you mentioned it could be a NATing issue.

The NATing on the router is little messed up. Unnecessary NAT command. Dont know who configured it.

How can NAT effect it anyway? Please explain.

I appreciate yout time Felipe.



What I meant by NAT issue is that it could be hitting the wrong NAT rule or asymmetric NAT.

You can confirm the proper NAT and ACL are being used with the packet tracer:

packet-tracer input [src_int] protocol src_addr src_port dest_addr  dest_port



packet-tracer input outside tcp 10.x.x.x 1025 192.168.x.x 2000







Remember to rate useful posts.

Review Cisco Networking for a $25 gift card