05-10-2013 11:59 AM - edited 03-11-2019 06:41 PM
On the ASA's I know Higher security levels can access lower security levels. Does that all change once an access list is applied to the higher level interface? For instance I have an inside interface within the 172.16.1.0/24 network. The inside interface has a security level of 100 while the outside is at 0. If I put an access list on the inside interface that permits the whole 172.167.1.0/24 network to any destination using tcp 80 and 443 does that mean that now that is the only traffic can pass from the inside because the implicit deny all would block all other traffic? Would you now not be able to access an ftp source on the internet from the inside interface unless you added ftp to the permit statement?
Solved! Go to Solution.
05-10-2013 12:02 PM
Hi,
Yes its just like that.
The "security-level" of the interface is valid only as long as the interface is without ACL attached to it.
As soon as you attach an ACL to the interface, that ACL has to be used to define what traffic is allowed and what is denied.
There are some special cases also related to the "security-level"
In cases where you want to allow traffic to enter and leave the same interface you will need the "same-security-traffic permit intra-interface". Even if your ACL allowed the traffic, lacking this configuration would still block the traffic.
Also in situations where you have 2 interface with equal "security-level" you will need the configuration command "same-security-traffic permit inter-interface" to allow that traffic.
- Jouni
05-10-2013 12:02 PM
Hi,
Yes its just like that.
The "security-level" of the interface is valid only as long as the interface is without ACL attached to it.
As soon as you attach an ACL to the interface, that ACL has to be used to define what traffic is allowed and what is denied.
There are some special cases also related to the "security-level"
In cases where you want to allow traffic to enter and leave the same interface you will need the "same-security-traffic permit intra-interface". Even if your ACL allowed the traffic, lacking this configuration would still block the traffic.
Also in situations where you have 2 interface with equal "security-level" you will need the configuration command "same-security-traffic permit inter-interface" to allow that traffic.
- Jouni
05-10-2013 12:07 PM
Thanks for the reply. That answers my question.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide