[c-nsp] ASA Query
Dave Brockman
dave at brockmans.com
Wed Mar 20 17:55:49 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 3/20/2013 5:52 PM, Ryan West wrote:
> On Wed, Mar 20, 2013 at 17:49:48, Dave Brockman wrote:
>> Subject: Re: [c-nsp] ASA Query
>>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 3/20/2013 5:34 PM, Ryan West wrote:
>>> On Wed, Mar 20, 2013 at 17:08:48, Dave Brockman wrote:
>>>> Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASA Query
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>
>>>> On 3/20/2013 11:05 AM, Muhammad Jawwad Paracha wrote:
>>>>> Hello
>>>>>
>>>>> Three zones/interface are used on ASA
>>>>>
>>>>> Internet - security level 0 Inside - security level 100
>>>>> with ipsec configured for vpn clients DMZ - security level
>>>>> 100
>>>>>
>>>>> Traffic from Inside to Internet works fine without ACL.
>>>>>
>>>>> Traffic from DMZ to Internet works when ACL is applied.
>>>>>
>>>>> As per my knowledge traffic from higher security zone to
>>>>> lower zone is allowed by default.
>>>>>
>>>>> Please suggest what could be the reason here.
>>>>
>>>> Which ASA platform specifically? A 5505 w/ a base license
>>>> only has three VLANs, one of which is restricted to passing
>>>> traffic to only one of the two remaining VLANs. Based on
>>>> your question, I assume you are having difficulties passing
>>>> traffic from inside to DMZ, could you post a sanitized
>>>> configuration?
>>>>
>>>
>>> Sounds like OP is missing 'same-security permit
>>> inter-interface'
>>>
>>> -ryan
>>
>> That would not apply inside to DMZ, they are not the same
>> security level, no?
>>
>
> It's difficult to read, but I show 100 - inside, 0 - outside, 100 -
> dmz.
>
> -ryan
>
Now that you pointed that out, and I read what was in the email
instead of what my brain wanted me to read, with that interpretation,
yes, I believe you are correct :)
And now to find caffeine.... I am apparently running low :)
Regards,
dtb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJRSjBkAAoJEMP+wtEOVbcd5hIH/08xiBD2Eky9HpuqOEw6M8/9
4nsN5GDQaVcrKJhRJhOIHqrK7p2cFdTkDihaEM7o+IIcxEIzTmBENcgTzWqugeL3
fs2PLgPEdhtQqACHTMxfXJr423YaELj7HbjX1Zu1dX+Se7wG+RE3DIGVMY3Mb6KK
h2E2aPOcZnRDdsCxGIePl7kbwNKh/QnpsxsFJ+kvhDvI4fu4Xi6KcKTLei3Z5KgN
yhQYF1WrUHILKf+GwnV3M+dOnWDaOj06z1BkKH5Eedn+ceH+x6CIEw4/mng4kiYC
tt9jdaXkphtWcL4AKSdO5ZI0GOcx3h1EjGOIm6TGUa7/MmevTUuZY3eGlKMK6Us=
=vcue
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list