- Cisco Community
- Technology and Support
- Networking
- Routing
- ASA Security levels and intervlan routing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA Security levels and intervlan routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 06:16 AM
Team,
I have several subinterfaces on my ASA. Example below:
interface GigabitEthernet0/0.26
description Cameras
vlan 26
nameif Cams
security-level 100
ip address 192.168.26.1 255.255.255.0
!
interface GigabitEthernet0/0.25
description Computers
vlan 25
nameif Internal
security-level 50
ip address 192.168.25.1 255.255.255.0
A user on VLAN 25 can ping all devices on VLAN 26, buy why? Users on security level 50 should not be able to access devices at security level 100 correct?
Thank you for your time.
- Labels:
-
WAN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 06:30 AM
It is true that by default devices on an interface with lower security level can not initiate traffic to devices on a higher security level. But that is subject to the security policies established in your configuration. We do not have information about how your ASA is configured to be able to assess your security policies.
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 07:05 PM
Below are my configs :)
Result of the command: "sho run"
: Saved
:
: Serial Number: FCH164479D1
: Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
:
ASA Version 9.10(1)
!
hostname NYC
domain-name NYC
enable password ***** pbkdf2
names
no mac-address auto
ip local pool AnyConnect_IPs 10.4.4.220-10.4.4.240 mask 255.255.255.0
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.25
description VLAN 25
vlan 25
nameif Doors
security-level 50
ip address 192.168.25.1 255.255.255.0
!
interface GigabitEthernet0/0.34
description VLAN 34
vlan 34
nameif Cams
security-level 100
ip address 192.168.34.1 255.255.255.0
!
interface GigabitEthernet0/0.50
description VLAN 50
vlan 50
nameif Lab
security-level 50
ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet0/0.51
description VLAN 51
vlan 51
nameif Bench
security-level 100
ip address 192.168.51.1 255.255.255.0
!
interface GigabitEthernet0/0.69
description VLAN 69
vlan 69
nameif NYC_Internal
security-level 50
ip address 10.4.4.1 255.255.255.0
!
interface GigabitEthernet0/0.75
description VLAN 75
vlan 75
nameif Team_Access
security-level 100
ip address 192.168.75.1 255.255.255.0
!
interface GigabitEthernet0/0.99
description VLAN 99
vlan 99
nameif NJ_VPN_NET
security-level 50
ip address 10.5.5.1 255.255.255.0
!
interface GigabitEthernet0/0.100
description VLAN 100
vlan 100
nameif Game_Room
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1
description To_Fox
shutdown
nameif Fox
security-level 0
ip address X.X.X.210 255.255.255.248
!
interface GigabitEthernet0/2
description To_AOL
nameif AOL
security-level 0
ip address X.X.X.50 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.6.4.29 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name NYC
same-security-traffic permit inter-interface
object network NYCPrivateOne
subnet 172.21.0.0 255.255.255.0
description VLAN 11
object network NYCPrivateTwo
subnet 172.21.1.0 255.255.255.0
description VLAN 10
object network NJ_Private
subnet 172.21.2.0 255.255.255.0
description VVLAN 10
object network NETWORK_OBJ_10.4.4.0_24
subnet 10.4.4.0 255.255.255.0
object network Doors
host 192.168.25.2
description Doors
object network Access_Control_RDP
host 192.168.34.2
description Access_Control_RDP
object network Bpimp_RDP
host 10.4.4.11
description Bpimp_RDP
object network Mjorden_RDP
host 10.4.4.12
description Mjorden_RDP
object network PRTG_2wayQOS_NJ
host 10.4.4.202
description PRTG_2wayQOS_NJ
object network Doors_RDP
host 10.4.4.203
description Doors_RDP
object service RDPng
service tcp source eq 3389
object network NETWORK_OBJ_10.4.4.192_26
subnet 10.4.4.192 255.255.255.192
object network AnyConnect_DHCP
range 10.4.4.220 10.4.4.240
object network NYC_Vlan-110
subnet X.X.X..0 255.255.254.0
description Vlan110
object network NYC_Vlan-113
subnet X.X.113..0 255.255.255.0
description Vlan113
object network NYC_Vlan-114
subnet X.X.114.0 255.255.255.0
description Vlan114
object network NYC_Vlan-120
subnet X.X.78.0 255.255.255.0
description Vlan120
object network NYC_Vlan-130
subnet X.X..79.0 255.255.255.0
description Vlan130
object network NYC_Vlan-30
subnet X.X.81.0 255.255.255.0
description Vlan30
object network NYC_Vlan-60
subnet X.X.83.0 255.255.255.0
description Vlan30
object network NYC_Vlan-70
subnet X.X.82.0 255.255.255.0
description Vlan70
object network Route_IPs
subnet X.X.112.0 255.255.255.0
description IP used for devices for routing
object network Route_IPs-2
subnet X.X.119.0 255.255.255.0
description IP used for devices for routing
object network NJ_Vlan-50and51and52
subnet X.X.252.0 255.255.255.0
description Vlan50and51and52
object network NJ_Vlan-53
subnet X.X.253.0 255.255.255.0
description Vlan53
object network NJ_Vlan-54
subnet X.X.254.0 255.255.255.0
description Vlan54
object network NJ_Vlan-55
subnet X.X.255.0 255.255.255.0
description Vlan55
object network NJ_Vlan-56
subnet X.X.118.0.0 255.255.255.0
description Vlan56
object network NYC_Vlan-12
subnet 172.21.10.0 255.255.255.0
description Test-Net
object-group network DM_INLINE_NETWORK_1
network-object 10.4.4.0 255.255.255.0
network-object 10.5.5.0 255.255.255.0
network-object 192.168.51.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object object NYCPrivateOne
network-object object NYCPrivateTwo
object-group network Internal
description NoKo_Internals
network-object 10.4.4.0 255.255.255.0
network-object 10.5.5.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
network-object 192.168.34.0 255.255.255.0
network-object 192.168.50.0 255.255.255.0
network-object 192.168.51.0 255.255.255.0
network-object 192.168.75.0 255.255.255.0
network-object object Doors
object-group service RDP tcp-udp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network NYC_Internals
network-object object NYCPrivateOne
network-object object NYCPrivateTwo
network-object object NYC_Vlan-12
object-group network AnyConnect_DHCP_NOG
network-object object AnyConnect_DHCP
object-group network DM_INLINE_NETWORK_3
group-object NYC_Internals
network-object object NJ_Private
object-group network ALL_NYC_IPs_PUBANDPRIV
description This is used for split tunneling. It includes all NYC IPs
network-object 10.4.4.0 255.255.255.0
network-object 10.5.5.0 255.255.255.0
network-object 10.6.4.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
network-object 192.168.25.0 255.255.255.0
network-object 192.168.34.0 255.255.255.0
network-object 192.168.50.0 255.255.255.0
network-object 192.168.51.0 255.255.255.0
network-object 192.168.75.0 255.255.255.0
network-object x.x..73.0 255.255.255.0
network-object x.x.215.208 255.255.255.248
network-object object NYCPrivateOne
network-object object NYCPrivateTwo
network-object object NYC_Vlan-110
network-object object NYC_Vlan-113
network-object object NYC_Vlan-114
network-object object NYC_Vlan-120
network-object object NYC_Vlan-130
network-object object NYC_Vlan-30
network-object object NYC_Vlan-60
network-object object NYC_Vlan-70
network-object object Access_Control_RDP
network-object object AnyConnect_DHCP
network-object object Doors
network-object object Doors_RDP
network-object object Bpimp_RDP
network-object object Mjorden_RDP
network-object object NETWORK_OBJ_10.4.4.0_24
network-object object NETWORK_OBJ_10.4.4.192_26
network-object object PRTG_2wayQOS_NJ
network-object object Route_IPs
network-object object Route_IPs-2
network-object object NJ_Private
network-object object NJ_Vlan-50and51and52
network-object object NJ_Vlan-53
network-object object NJ_Vlan-54
network-object object NJ_Vlan-55
network-object object NJ_Vlan-56
access-list AOL_cryptomap extended permit ip object-group Internal object-group NYC_Internals
access-list AOL_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list global_access extended permit ip any any
access-list global_access extended permit icmp any any
access-list AOL_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list AOL_cryptomap_2 extended permit ip object-group Internal object NJ_Private
access-list AOL_mpc extended permit tcp any any eq ssh
pager lines 24
logging enable
logging asdm informational
mtu Doors 1500
mtu Cams 1500
mtu Lab 1500
mtu Bench 1500
mtu NYC_Internal 1500
mtu Team_Access 1500
mtu NJ_VPN_NET 1500
mtu Game_Room 1500
mtu Fox 1500
mtu AOL 1500
mtu management 1500
no failover
no monitor-interface Doors
no monitor-interface Cams
no monitor-interface Lab
no monitor-interface Bench
no monitor-interface NYC_Internal
no monitor-interface Team_Access
no monitor-interface NJ_VPN_NET
no monitor-interface Game_Room
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (NYC_Internal,AOL) source static Internal Internal destination static NJ_Private NJ_Private
nat (NYC_Internal,AOL) source static Internal Internal destination static NYC_Internals NYC_Internals
nat (NYC_Internal,AOL) source static any any destination static NETWORK_OBJ_10.4.4.192_26 NETWORK_OBJ_10.4.4.192_26 no-proxy-arp route-lookup
nat (AOL,AOL) source static AnyConnect_DHCP_NOG AnyConnect_DHCP_NOG destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 no-proxy-arp
!
object network Bpimp_RDP
nat (NYC_Internal,AOL) static interface service tcp 3389 51550
object network Mjorden_RDP
nat (NYC_Internal,AOL) static interface service tcp 3389 55055
!
nat (any,AOL) after-auto source dynamic Internal interface
access-group AOL_access_in in interface AOL
access-group global_access global
route AOL 0.0.0.0 0.0.0.0 x.x.73.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 10.4.4.0 255.255.255.0 management
http 10.6.4.0 255.255.255.0 management
http 10.4.4.0 255.255.255.0 NYC_Internal
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map AOL_map 1 match address AOL_cryptomap
crypto map AOL_map 1 set peer X.94.x.226
crypto map AOL_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map AOL_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map AOL_map 2 match address AOL_cryptomap_1
crypto map AOL_map 2 set peer 192.81.80.1
crypto map AOL_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map AOL_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map AOL_map 3 match address AOL_cryptomap_2
crypto map AOL_map 3 set peer X.X.119..1
crypto map AOL_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map AOL_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map AOL_map interface AOL
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable AOL
crypto ikev1 enable AOL
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 10.4.4.0 255.255.255.0 management
ssh 10.6.4.0 255.255.255.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.25.140-192.168.25.150 Doors
dhcpd dns 8.8.8.8 8.8.4.4 interface Doors
dhcpd lease 86400 interface Doors
dhcpd enable Doors
!
dhcpd address 192.168.34.10-192.168.34.50 Cams
dhcpd dns 8.8.8.8 8.8.4.4 interface Cams
dhcpd lease 86400 interface Cams
dhcpd enable Cams
!
dhcpd address 192.168.51.10-192.168.51.254 Bench
dhcpd dns 8.8.8.8 8.8.4.4 interface Bench
dhcpd lease 86400 interface Bench
dhcpd enable Bench
!
dhcpd address 10.4.4.20-10.4.4.199 NYC_Internal
dhcpd dns 10.4.4.201 10.4.4.202 interface NYC_Internal
dhcpd wins 10.4.4.201 10.4.4.202 interface NYC_Internal
dhcpd lease 86400 interface NYC_Internal
dhcpd enable NYC_Internal
!
dhcpd address 192.168.75.50-192.168.75.200 Team_Access
dhcpd dns 8.8.8.8 8.8.4.4 interface Team_Access
dhcpd lease 86400 interface Team_Access
dhcpd enable Team_Access
!
dhcpd address 10.5.5.10-10.5.5.30 NJ_VPN_NET
dhcpd dns 8.8.8.8 8.8.4.4 interface NJ_VPN_NET
dhcpd lease 86400 interface NJ_VPN_NET
dhcpd enable NJ_VPN_NET
!
dhcpd address 192.168.100.100-192.168.100.200 Game_Room
dhcpd dns 8.8.8.8 8.8.4.4 interface Game_Room
dhcpd lease 86400 interface Game_Room
dhcpd enable Game_Room
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable AOL
anyconnect-essentials
anyconnect image disk0:/anyconnect-linux64-4.7.03052-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.7.03052-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-win-4.7.03052-webdeploy-k9.pkg 3
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_X.94.x.226internal
group-policy GroupPolicy_X.94.x.226attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_Remote internal
group-policy GroupPolicy_Remote attributes
wins-server value 10.4.4.202
dns-server value 10.4.4.201
vpn-tunnel-protocol ssl-client
default-domain value NYC
group-policy GroupPolicy_X.X.119..1 internal
group-policy GroupPolicy_X.X.119..1 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group X.94.x.226type ipsec-l2l
tunnel-group X.94.x.226general-attributes
default-group-policy GroupPolicy_x.94.0.226
tunnel-group X.94.x.226ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group X.X.119..1 type ipsec-l2l
tunnel-group X.X.119..1 general-attributes
default-group-policy GroupPolicy_X.X.119..1
tunnel-group X.X.119..1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group Remote type remote-access
tunnel-group Remote general-attributes
address-pool AnyConnect_IPs
default-group-policy GroupPolicy_Remote
tunnel-group Remote webvpn-attributes
group-alias Remote enable
!
class-map inspection_default
match default-inspection-traffic
class-map AOL_SSH_Class
match access-list AOL_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map AOL_SSH_policy
description Extend_SSH_TimeOut_To_3hr
class AOL_SSH_Class
set connection timeout idle 72:00:00 reset
!
service-policy global_policy global
service-policy AOL_SSH_policy interface AOL
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d0d9e3c994fdffdb1e8c80df83a10110
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-04-2020 10:31 AM
Hi,
Security levels offer a default access-control mechanism (high-to-low is allowed, low-to-high is disallowed, same-to-same is disallowed), in order that you can have a default security in place, instead of block everything or allow everything.
However, the moment you apply an ACL inbound on an interface, all traffic coming inbound on that interface is subject to the ACL now, the security level on the interface is ignored for ingress traffic. Likewise, when you apply a global ACL, all traffic flowing ingress on all interfaces is subject to the global ACL, so it's like all security-levels are ignored.
You have a global ACL applied which allows all IP traffic:
access-list global_access extended permit ip any any
access-list global_access extended permit icmp any any
access-group global_access global
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
