On Wed, Mar 20, 2013 at 17:49:48, Dave Brockman wrote: > Subject: Re: [c-nsp] ASA Query > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 3/20/2013 5:34 PM, Ryan West wrote: > > On Wed, Mar 20, 2013 at 17:08:48, Dave Brockman wrote: > >> Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Query > >> > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >> > >> On 3/20/2013 11:05 AM, Muhammad Jawwad Paracha wrote: > >>> Hello > >>> > >>> Three zones/interface are used on ASA > >>> > >>> Internet - security level 0 Inside - security level 100 with ipsec > >>> configured for vpn clients DMZ - security level 100 > >>> > >>> Traffic from Inside to Internet works fine without ACL. > >>> > >>> Traffic from DMZ to Internet works when ACL is applied. > >>> > >>> As per my knowledge traffic from higher security zone to lower > >>> zone is allowed by default. > >>> > >>> Please suggest what could be the reason here. > >> > >> Which ASA platform specifically? A 5505 w/ a base license only has > >> three VLANs, one of which is restricted to passing traffic to only > >> one of the two remaining VLANs. Based on your question, I assume > >> you are having difficulties passing traffic from inside to DMZ, > >> could you post a sanitized configuration? > >> > > > > Sounds like OP is missing 'same-security permit inter-interface' > > > > -ryan > > That would not apply inside to DMZ, they are not the same security level, no? >
It's difficult to read, but I show 100 - inside, 0 - outside, 100 - dmz. -ryan _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/