[c-nsp] ASA Query
Ryan West
rwest at zyedge.com
Wed Mar 20 17:52:39 EDT 2013
On Wed, Mar 20, 2013 at 17:49:48, Dave Brockman wrote:
> Subject: Re: [c-nsp] ASA Query
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 3/20/2013 5:34 PM, Ryan West wrote:
> > On Wed, Mar 20, 2013 at 17:08:48, Dave Brockman wrote:
> >> Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASA Query
> >>
> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>
> >> On 3/20/2013 11:05 AM, Muhammad Jawwad Paracha wrote:
> >>> Hello
> >>>
> >>> Three zones/interface are used on ASA
> >>>
> >>> Internet - security level 0 Inside - security level 100 with ipsec
> >>> configured for vpn clients DMZ - security level 100
> >>>
> >>> Traffic from Inside to Internet works fine without ACL.
> >>>
> >>> Traffic from DMZ to Internet works when ACL is applied.
> >>>
> >>> As per my knowledge traffic from higher security zone to lower
> >>> zone is allowed by default.
> >>>
> >>> Please suggest what could be the reason here.
> >>
> >> Which ASA platform specifically? A 5505 w/ a base license only has
> >> three VLANs, one of which is restricted to passing traffic to only
> >> one of the two remaining VLANs. Based on your question, I assume
> >> you are having difficulties passing traffic from inside to DMZ,
> >> could you post a sanitized configuration?
> >>
> >
> > Sounds like OP is missing 'same-security permit inter-interface'
> >
> > -ryan
>
> That would not apply inside to DMZ, they are not the same security level, no?
>
It's difficult to read, but I show 100 - inside, 0 - outside, 100 - dmz.
-ryan
More information about the cisco-nsp
mailing list