07-25-2017 06:32 AM - edited 03-12-2019 02:44 AM
When an ASA is fresh out of the box, the interfaces do not have any ACLs applied and the firewall enforces the security-levels. Once an ACL is applied, do the security-levels still apply? As an example, if I want to permit RDP from an inside interface (security-level 100) to a dmz interface (security-level 50) do I need the ACL on the inside interface in the inbound direction, or will the firewall permit it because it's from a higher security zone to a lower one? I am NOT inspecting RDP - does the firewall automatically allow the return traffic from dmz to inside, assuming it permitted the flow from high to low? My understanding is that if I inspect the traffic I don't need the ACL but if I do not inspect the traffic I will need the ACL entry.
07-25-2017 06:40 AM
Hi Scott,
If you are inspecting the traffic ASA is intelligent enough to open ports (pinholes) to allow return traffic.
But if you do not inspect the traffic you have to explicitly allow traffic on the lower security interface using an access-list.
Regards,
Aditya
Please rate helpful and mark correct answers
07-25-2017 06:45 AM
So I don't need an ACL rule on the inside interface inbound due to the "high-to-low" rule but still need the ACL on the return because I am not inspecting AND it's "low-to-high"? The big question is whether or not the security-level rules still apply once an ACL is applied because I've read elsewhere that once you put the ACL on the interface and the default "deny ip any any" goes into effect that you now need ACEs. Are you saying that the "high-to-low" rule overrides the "deny ip any any" implicit rule at the end of an ACL?
07-25-2017 07:37 AM
Hi Scott,
From higher to lower security zone traffic is implicitly allowed.
But if you configure an access-list on the inside interface(or a higher sec level interface) you are manually putting a rule/policy to allow/deny traffic.
So you would need ACE's for allowing/denying traffic on that access-list since you have put in an access-group.
As per the packet flow the traffic would hit the ingress interface and check for any access-list and if it is allowed it will traverse to the egress one.
Regards,
Aditya
Please rate helpful and mark correct answers
07-25-2017 12:28 PM
Hi Scott,
If you applied an ACL at interface level traffic will not passed on the basis of security levels either your interface is configured with security level 100 (or you can say ASA lost his default behaviour) until you explicitly allow the traffic. You must need to allow the traffic in interface level ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide