[c-nsp] ASA Query
Dave Brockman
dave at brockmans.com
Wed Mar 20 17:49:48 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 3/20/2013 5:34 PM, Ryan West wrote:
> On Wed, Mar 20, 2013 at 17:08:48, Dave Brockman wrote:
>> Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASA Query
>>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 3/20/2013 11:05 AM, Muhammad Jawwad Paracha wrote:
>>> Hello
>>>
>>> Three zones/interface are used on ASA
>>>
>>> Internet - security level 0 Inside - security level 100 with
>>> ipsec configured for vpn clients DMZ - security level 100
>>>
>>> Traffic from Inside to Internet works fine without ACL.
>>>
>>> Traffic from DMZ to Internet works when ACL is applied.
>>>
>>> As per my knowledge traffic from higher security zone to lower
>>> zone is allowed by default.
>>>
>>> Please suggest what could be the reason here.
>>
>> Which ASA platform specifically? A 5505 w/ a base license only
>> has three VLANs, one of which is restricted to passing traffic to
>> only one of the two remaining VLANs. Based on your question, I
>> assume you are having difficulties passing traffic from inside to
>> DMZ, could you post a sanitized configuration?
>>
>
> Sounds like OP is missing 'same-security permit inter-interface'
>
> -ryan
That would not apply inside to DMZ, they are not the same security
level, no?
Regards,
dtb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJRSi78AAoJEMP+wtEOVbcdyuMH/0pVQkLiPylpNw3mRP4yCzPL
i8Eb1AokGPZDC/U4bQiHNxe9iKH0+JwfES4PvhhTn0cOkxKCM1cDOCYCpQZT8EGy
uGv9kx33ctAgyXXZ9CkLOzn9pB+I5yV/xtUpqBIi69y3B/hl/e+QfqA9awIpduM8
ZAF+KrIzh5H+Iess1sjeWHdEGM9Zi279bD0OUReAmJU1p8/9mzygh0ngFwkGI/8R
f5H+J8s8DFF5+8XOpwhrTJkqEdHzOStFJf6v/GHF5aFt6yOgdUT3awMKt4eXyRxv
Zlvo7B8UpWQ4LBEhwzyHnCKGXXkoeZw99WGnrT7RuDN9TWDT8XdWhwzV5ZUJJ5U=
=7Lmq
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list