[c-nsp] ASA Query

Dave Brockman dave at brockmans.com
Wed Mar 20 17:49:48 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 3/20/2013 5:34 PM, Ryan West wrote:
> On Wed, Mar 20, 2013 at 17:08:48, Dave Brockman wrote:
>> Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASA Query
>> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 3/20/2013 11:05 AM, Muhammad Jawwad Paracha wrote:
>>> Hello
>>> 
>>> Three zones/interface are used on ASA
>>> 
>>> Internet - security level 0 Inside - security level 100 with
>>> ipsec configured for vpn clients DMZ - security level 100
>>> 
>>> Traffic from Inside to Internet works fine without ACL.
>>> 
>>> Traffic from DMZ to Internet works when ACL is applied.
>>> 
>>> As per my knowledge traffic from higher security zone to lower
>>> zone is allowed by default.
>>> 
>>> Please suggest what could be the reason here.
>> 
>> Which ASA platform specifically?  A 5505 w/ a base license only
>> has three VLANs, one of which is restricted to passing traffic to
>> only one of the two remaining VLANs.  Based on your question, I
>> assume you are having difficulties passing traffic from inside to
>> DMZ, could you post a sanitized configuration?
>> 
> 
> Sounds like OP is missing 'same-security permit inter-interface'
> 
> -ryan

That would not apply inside to DMZ, they are not the same security
level, no?

Regards,

dtb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRSi78AAoJEMP+wtEOVbcdyuMH/0pVQkLiPylpNw3mRP4yCzPL
i8Eb1AokGPZDC/U4bQiHNxe9iKH0+JwfES4PvhhTn0cOkxKCM1cDOCYCpQZT8EGy
uGv9kx33ctAgyXXZ9CkLOzn9pB+I5yV/xtUpqBIi69y3B/hl/e+QfqA9awIpduM8
ZAF+KrIzh5H+Iess1sjeWHdEGM9Zi279bD0OUReAmJU1p8/9mzygh0ngFwkGI/8R
f5H+J8s8DFF5+8XOpwhrTJkqEdHzOStFJf6v/GHF5aFt6yOgdUT3awMKt4eXyRxv
Zlvo7B8UpWQ4LBEhwzyHnCKGXXkoeZw99WGnrT7RuDN9TWDT8XdWhwzV5ZUJJ5U=
=7Lmq
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list