cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3480
Views
0
Helpful
3
Replies

Firewall Rules for High to Low Security Level

rmujeeb81
Level 1
Level 1

Dear All,

I would like to know regarding the firewall rules on ASA 5500 v 8.6 that if NAT is not configured (not required) and firewall is routing the traffic among different interfaces without doing NAT so firewall rules permiting traffic from high security level to lower security level would be required as well ?

Thanks

1 Accepted Solution

Accepted Solutions

Hi,

If you have not configured any interface ACLs with the "access-group" command to the interfaces then the "security-level" value is the only deciding factor in whether traffic is allowed or not.

Naturally you if you configure a NAT configuration wrong then the traffic might drop because of the improper NAT configuration but it has nothing to do with the access rules.

- Jouni

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

If you dont have any interface ACLS configured with the "access-list" and "access-group" command then traffic should by default go through from higher "security-level" interface to the one with lower "security-level".

Generally its a good idea to configure an interface ACL from the start since using "security-level" values only doesnt really give you much flexibility in the long run.

- Jouni

Hi Jouni,

Thanks for your response. So it doesn't matter if NAT is configured or not on the ASA (v 8.6)  right ? Implicit permit rule will be applicable for traffic flow from high security to low security level ? without any dependency on NAT configuration?

Regards,

Hi,

If you have not configured any interface ACLs with the "access-group" command to the interfaces then the "security-level" value is the only deciding factor in whether traffic is allowed or not.

Naturally you if you configure a NAT configuration wrong then the traffic might drop because of the improper NAT configuration but it has nothing to do with the access rules.

- Jouni

Review Cisco Networking for a $25 gift card