cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
336
Views
5
Helpful
2
Replies

quick question about interface security levels

nygenx2011
Level 1
Level 1

as i understand

by default...any interface with a higher security leveil..i.e 100 is automatically allowed to lower..i.e 40, 0, 20

and lower is denied to higher

howerver on my asa

we have an inside interface with a security level of 100 and deviced behind that (our inside network)

trying to talk to a server in the app dmz level 20

and it is denied by the inside interface acl

only when i apply the acl to allow our inside host to talk to the dmz server will this go through..

that doesnt makes sense..shouldn't it be allowed  by default even thought there is an implicit deny any rule at the end of the rule set?

2 Replies 2

nygenx2011 wrote:

and it is denied by the inside interface acl

only when i apply the acl to allow our inside host to talk to the dmz server will this go through..

that doesnt makes sense..shouldn't it be allowed  by default even thought there is an implicit deny any rule at the end of the rule set?

Hi Richard,

You are right by default , the traffic from a higher sec level to a lower sec level is permited = this mean if there is no access-list applied.

If you apply the access-list , this dont cover the default behavior, and you should permit the traffic that you need to pass.

So the FW reaction is  as expected.

Dan

thank you!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: