I try to understand how to combinate implicit global ACL witch security level.
1) In documentation there are: Traffic from Higher Security Level to Lower Security Level: Allow ALL traffic originating from the higher Security Level unless specifically restricted by an Access Control List (ACL).
2) But in Cisco ASA, there is implicit default global access rule. Deny any any on all interface for incoming traffic.
Point 1) and 2) are in contradiction.
Can anybody explain it? Thank you.
Best Answer
1 and 2 are not in contradiction. 1 states that is the behavior unless you have an EXPLICIT ACL entry, while 2 states that there is an IMPLICIT deny (which would catch everything else not filtered by your explicit statements).
Explicit means it was manually added (by you); implicit means it is a default action (essentially).
When you initially define interfaces, the outside interface is automatically given a security level of 0 while the inside interface is automatically given a security level of 100. This accounts for the higher-to-lower behavior you saw. The inverse (lower-to-higher) would be blocked by default and would require having a NAT or PAT as well as rules to allow the traffic coming in.