[cisco-voip] Antw: QS: regarding pix/asa security levels

[Robert Schuknecht]

Hi Khalid,

here are some links where you can find some information regarding the configuration of PIX/ASA

ASA: http://www.cisco.com/univercd/cc/td/doc/product/multisec/index.htm 

PIX: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm 

Here some general answers to your questions:

1) Yes is possible

2) You need to create an ACL, for the returning ICMP Traffic, and bind it "incoming" to the outside Interface

3) It depends. Read the configuration guides and you will know how things work.

4) See 3)

/Robert
>>> Syed Khalid Ali<Khalid_Khursheed at hotmail.com> schrieb am Donnerstag, 3. April
2008 um 11:05 in Nachricht 8d2f31c350ff4a9f2d8737dfab12e3fb:
> hi
> 
> i have just started to read snpa book. the question is:
> 
> 1- can higher security level (100) interface can access lower security level 
> interface without a NAT transalation? 
> 2- I setup my asa with 2 interfaces (inside and outside) and tried to ping 
> from an inside host to an outside host but it failed. 
> 3- For an inside host to access an outside host do we need translation or 
> access rule or both?
> 4- Do we need to have an inspect icmp in inspection policy for number 1 to 
> work without a transaltion and access rule or both?
> 
> PS: I know that this a not a security related forum but there are lots of 
> people here who are skilled in different domain.
> 
> 
> regards,
> 
> Khalid