[cisco-voip] QS: regarding pix/asa security levels

Jonathan Charles jonvoip at gmail.com
Thu Apr 3 09:01:27 EDT 2008


1 - Depends if there is routing going on. While the security system
will not block the packet, basic routing would.
2 - ICMP is blocked by default, you need to create an ACL specifically
permitting ICMP.
3 - By default all traffic is permitted from a high security interface
to a low-security interface, however, see 1 above.
4 - If you have a public IP block you can route through the ASA
without NAT, otherwise you need NAT.


Jonathan

On Thu, Apr 3, 2008 at 4:05 AM, Syed Khalid Ali
<Khalid_Khursheed at hotmail.com> wrote:
>
>
> hi
>
> i have just started to read snpa book. the question is:
>
> 1- can higher security level (100) interface can access lower security level
> interface without a NAT transalation?
> 2- I setup my asa with 2 interfaces (inside and outside) and tried to ping
> from an inside host to an outside host but it failed.
> 3- For an inside host to access an outside host do we need translation or
> access rule or both?
> 4- Do we need to have an inspect icmp in inspection policy for number 1 to
> work without a transaltion and access rule or both?
>
> PS: I know that this a not a security related forum but there are lots of
> people here who are skilled in different domain.
>
>
> regards,
>
> Khalid
> _______________________________________________
>  cisco-voip mailing list
>  cisco-voip at puck.nether.net
>  https://puck.nether.net/mailman/listinfo/cisco-voip
>
>


More information about the cisco-voip mailing list