07-27-2009 07:06 AM - edited 03-11-2019 08:59 AM
Hi Experts,
If there are multiple sub interfaces and vlans are created with different security levels
Will the traffic flows from high security level interface to low security level interface?.
What is the case if we have the acls in place?
Thanks in advance
Regards,
Madan.
Solved! Go to Solution.
07-27-2009 08:15 AM
Madan,
The ASA always allows traffic from higher to lower by default. If you have ACLs in place, then you'll need to allow the traffic through.
For example, if you have an ACL applied to the inside interface and the inside interface has a security level of 100, then that ACL will need to allow what you want out. If you want users to be able to surf the web, but nothing else, your acl will allow port 80 out, but deny everything else.
HTH,
John
07-27-2009 09:06 AM
Depends on what you are trying to do with your acl.
There is an implicit deny at the end of an acl so anything not explicitly permitted or denied in your acl will be dropped.
Jon
07-27-2009 08:15 AM
Madan,
The ASA always allows traffic from higher to lower by default. If you have ACLs in place, then you'll need to allow the traffic through.
For example, if you have an ACL applied to the inside interface and the inside interface has a security level of 100, then that ACL will need to allow what you want out. If you want users to be able to surf the web, but nothing else, your acl will allow port 80 out, but deny everything else.
HTH,
John
07-27-2009 09:00 AM
Thanks for your valuable input.
Do we need Explicit deny statement in acl?
07-27-2009 09:06 AM
Depends on what you are trying to do with your acl.
There is an implicit deny at the end of an acl so anything not explicitly permitted or denied in your acl will be dropped.
Jon
07-27-2009 09:11 AM
In addition to what Jon said, if you use a permit any at the end of your acl and want to deny traffic, you'll need a deny line before the permit any.
deny ip 192.168.1.0 255.255.255.0 any eq 80
permit ip any any
This would deny 192.168.1.0 subnet from getting on the web, but it would allow them to go everywhere else like mail, etc. After the "permit ip any any" line is an "invisible" deny ip any any line. You can't see it but it's there. I normally put a deny ip any any at the end so I can see what I'm actually blocking hit-count wise.
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide