Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
616
Views
0
Helpful
3
Replies

Security level confusion !

Go to solution
Jonn cos
Level 4
Level 4

‎06-09-2011 12:28 PM - edited ‎03-07-2019 12:44 AM

Hi all experts.

I am using ASA 8.0. Following is the simple topology

Pc1--------------------------ASA-------------------------------Pc2

      outside 0                         inside 100

Now what i have read that traffic from higher security level to lower security level is allowed. But when i ping from Pc2 to Pc1, it is not successfull. When i searched a bit more, i came to know that, i still need to apply access-list to allow traffic from 100 to 0.

Which point is correct ? do i explicitly need ACLs to permit traffic from higher level to lower level or is it allowed by default ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎06-09-2011 01:07 PM

Hi,

the lower the security level the riskier it is and by default traffic can flow from high to low and return traffic is permitted in the reverse direction for TCP and UDP.

For ICMP you have 2 solutions to enable return traffic from low to high:

-enable ICMP inspection

- configure an ACL permitting echo replies and apply to outside interface inbound.

The first solution is the safest

the 2 ways are explained here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎06-09-2011 01:07 PM

Hi,

the lower the security level the riskier it is and by default traffic can flow from high to low and return traffic is permitted in the reverse direction for TCP and UDP.

For ICMP you have 2 solutions to enable return traffic from low to high:

-enable ICMP inspection

- configure an ACL permitting echo replies and apply to outside interface inbound.

The first solution is the safest

the 2 ways are explained here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Jonn cos
Level 4
Level 4

‎06-10-2011 12:50 PM

Ok i have understand why icmp didnt made through. Is there any debug command that can tell me which packet was dropped and why ??

Pls i need to make sure i am good with troubleshooting also. Pls guide me, what debug command will help me figure out why this icmp packets are being blocked.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Jonn cos

‎06-10-2011 01:24 PM

Hi,

look at this doc:

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/admin_trouble.html

REgards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card