02-25-2013 07:11 AM - edited 03-11-2019 06:05 PM
Hi All,
I am relatively new to ASA's and I had a quick and simple question:
I have found that an outside interface with security level 0 will block everything unless object-groups and ACL's specify otherwise. However, keeping with the idea that security level 100 on an inside interface can pass traffic to a security-level 0 interface since it is trusted, I am assuming that ACL's and Object-Groups for the Inside_to_Outside flow are not necessary/used-at-engineer's-discretion for traffic to pass.
Can someone verify if this is correct?
02-25-2013 01:19 PM
Hi,
The "security-level" of the interface will control where the traffic can flow through the firewall for as long as the interface has no ACL attached to it. As soon as you attach an ACL to the interface, the ACL will specify what can pass. At that point the "security-level" will have close to no meaning.
There are some situation that will require some additional commands also.
For example situations where the source and destination interface is configured with identical "security-level" or the traffic is entering and leaving the same interface.
Notice that in the case where you have 2 interfaces with identical "security-level" values, even if you permit all traffic it still wont pass unless you configure the corresponding command mentioned above.
There is also a command related to VPN which changes the ACL behaviour for traffic entering from a VPN connection to the ASA (past the ASA to some LAN for example)
Default setting for VPN connections is that they bypass the "outside" interface ACL check. To change this behaviour and to control entering VPN traffic on the "outside" interface ACL you can use the command "no sysopt connection permit-vpn"
The default setting is "sysopt connection permit-vpn". It doesnt show in the CLI configuration when its on that default setting. The "no" form of the command does show.
Hopefully the information was helpfull
Feel free to ask more
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide