Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
230
Views
0
Helpful
2
Replies

general question in asa access rules

Dr.X
Level 2
Level 2

‎03-13-2014 09:47 AM - edited ‎03-07-2019 06:41 PM

hi ,

this is a general question in understanding rhe asa rules in the asa

 

assume  i have 3 interfaces each has its own security level

security level 100-------eth0-----------ASA----eth1---------------security level 0

                                                                 |

                                                                 |

                                                               eth2

                                                         security level 80

 

 

the  question is ,

what is the hiearchery for the asa when it work !

as an exmaple

 

assume i ahve the default of the asa rules and i only added :

 

 a rule in the asa for eth2 that has the security level 80 and said to asa to allow any thinging going to the subnets at eth0 and eth1

 

wt is the hieracrhy for the asa to check ?

will it check the rules that i put in the asa then check the security levels that the packet have 1st ?

"as we know the security level is lower cant talk to security level that is higer "

 

also , when it check the globl rule in the acces rule ?

before or after  ?

 

also , is there implicit rules hidden in the asa not shown to me at the access rules ?

something is not clear to me

 

i just need to know thehiearchy  for the asa when it begin to check the packet and with it it start to check and start.

 

 

regards

Labels:
0 Helpful
2 Replies 2

John Blakley
VIP Alumni
VIP Alumni

‎03-13-2014 10:01 AM

Hi,

It will check the interface and see if there's an acl. As you said, you cannot pass from lower to higher security level without an explicit acl on the interface, but higher can talk to lower security levels without an acl applied to the interface. There is an implicit deny at the end of the acl meaning that if there's not a match on an entry in the acl, then it will be denied.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Dr.X
Level 2
Level 2
In response to John Blakley

‎03-13-2014 11:26 AM

hi john ,

thanks alot for reply

 

but plz execuse me

i will ask agian

 

which will  be lookkd at  first for inspection?

the level of interface ?

or the acl ?

 

also im asking about the implicit acl under each interface

 

is it implicit deny only from lower to higer level ?

 

or it absolutlelty implicit deny for evry thing ??

 

 

agian

 

thanska lot for replty and i wish to got it cleared

 

regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card