[c-nsp] ASA Query

Ryan West rwest at zyedge.com
Wed Mar 20 17:52:39 EDT 2013


On Wed, Mar 20, 2013 at 17:49:48, Dave Brockman wrote:
> Subject: Re: [c-nsp] ASA Query
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 3/20/2013 5:34 PM, Ryan West wrote:
> > On Wed, Mar 20, 2013 at 17:08:48, Dave Brockman wrote:
> >> Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASA Query
> >>
> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>
> >> On 3/20/2013 11:05 AM, Muhammad Jawwad Paracha wrote:
> >>> Hello
> >>>
> >>> Three zones/interface are used on ASA
> >>>
> >>> Internet - security level 0 Inside - security level 100 with ipsec 
> >>> configured for vpn clients DMZ - security level 100
> >>>
> >>> Traffic from Inside to Internet works fine without ACL.
> >>>
> >>> Traffic from DMZ to Internet works when ACL is applied.
> >>>
> >>> As per my knowledge traffic from higher security zone to lower 
> >>> zone is allowed by default.
> >>>
> >>> Please suggest what could be the reason here.
> >>
> >> Which ASA platform specifically?  A 5505 w/ a base license only has 
> >> three VLANs, one of which is restricted to passing traffic to only 
> >> one of the two remaining VLANs.  Based on your question, I assume 
> >> you are having difficulties passing traffic from inside to DMZ, 
> >> could you post a sanitized configuration?
> >>
> >
> > Sounds like OP is missing 'same-security permit inter-interface'
> >
> > -ryan
> 
> That would not apply inside to DMZ, they are not the same security level, no?
> 

It's difficult to read, but I show 100 - inside, 0 - outside, 100 - dmz.

-ryan



More information about the cisco-nsp mailing list