[c-nsp] ASA Query
Ryan West
rwest at zyedge.com
Wed Mar 20 17:34:46 EDT 2013
On Wed, Mar 20, 2013 at 17:08:48, Dave Brockman wrote:
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA Query
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 3/20/2013 11:05 AM, Muhammad Jawwad Paracha wrote:
> > Hello
> >
> > Three zones/interface are used on ASA
> >
> > Internet - security level 0 Inside - security level 100 with ipsec
> > configured for vpn clients DMZ - security level 100
> >
> > Traffic from Inside to Internet works fine without ACL.
> >
> > Traffic from DMZ to Internet works when ACL is applied.
> >
> > As per my knowledge traffic from higher security zone to lower zone
> > is allowed by default.
> >
> > Please suggest what could be the reason here.
>
> Which ASA platform specifically? A 5505 w/ a base license only has
> three VLANs, one of which is restricted to passing traffic to only one
> of the two remaining VLANs. Based on your question, I assume you are
> having difficulties passing traffic from inside to DMZ, could you post
> a sanitized configuration?
>
Sounds like OP is missing 'same-security permit inter-interface'
-ryan
More information about the cisco-nsp
mailing list