-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 3/20/2013 5:52 PM, Ryan West wrote: > On Wed, Mar 20, 2013 at 17:49:48, Dave Brockman wrote: >> Subject: Re: [c-nsp] ASA Query >> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 3/20/2013 5:34 PM, Ryan West wrote: >>> On Wed, Mar 20, 2013 at 17:08:48, Dave Brockman wrote: >>>> Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Query >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>> >>>> On 3/20/2013 11:05 AM, Muhammad Jawwad Paracha wrote: >>>>> Hello >>>>> >>>>> Three zones/interface are used on ASA >>>>> >>>>> Internet - security level 0 Inside - security level 100 >>>>> with ipsec configured for vpn clients DMZ - security level >>>>> 100 >>>>> >>>>> Traffic from Inside to Internet works fine without ACL. >>>>> >>>>> Traffic from DMZ to Internet works when ACL is applied. >>>>> >>>>> As per my knowledge traffic from higher security zone to >>>>> lower zone is allowed by default. >>>>> >>>>> Please suggest what could be the reason here. >>>> >>>> Which ASA platform specifically? A 5505 w/ a base license >>>> only has three VLANs, one of which is restricted to passing >>>> traffic to only one of the two remaining VLANs. Based on >>>> your question, I assume you are having difficulties passing >>>> traffic from inside to DMZ, could you post a sanitized >>>> configuration? >>>> >>> >>> Sounds like OP is missing 'same-security permit >>> inter-interface' >>> >>> -ryan >> >> That would not apply inside to DMZ, they are not the same >> security level, no? >> > > It's difficult to read, but I show 100 - inside, 0 - outside, 100 - > dmz. > > -ryan >
Now that you pointed that out, and I read what was in the email instead of what my brain wanted me to read, with that interpretation, yes, I believe you are correct :) And now to find caffeine.... I am apparently running low :) Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRSjBkAAoJEMP+wtEOVbcd5hIH/08xiBD2Eky9HpuqOEw6M8/9 4nsN5GDQaVcrKJhRJhOIHqrK7p2cFdTkDihaEM7o+IIcxEIzTmBENcgTzWqugeL3 fs2PLgPEdhtQqACHTMxfXJr423YaELj7HbjX1Zu1dX+Se7wG+RE3DIGVMY3Mb6KK h2E2aPOcZnRDdsCxGIePl7kbwNKh/QnpsxsFJ+kvhDvI4fu4Xi6KcKTLei3Z5KgN yhQYF1WrUHILKf+GwnV3M+dOnWDaOj06z1BkKH5Eedn+ceH+x6CIEw4/mng4kiYC tt9jdaXkphtWcL4AKSdO5ZI0GOcx3h1EjGOIm6TGUa7/MmevTUuZY3eGlKMK6Us= =vcue -----END PGP SIGNATURE----- _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/