I an testing traffic forwarding between different DMZ with different security levels.
DMZ:
interface GigabitEthernet0/1.351
vlan 351
nameif dmz
security-level 10
ip address 10.100.20.1 255.255.255.0
DMZ810:
interface GigabitEthernet1/2.810
vlan 810
nameif dmz810
security-level 50
ip address 172.29.12.33 255.255.255.248
Testing with packet-tracer:
asa-5550-edge# packet-tracer input dmz810 tcp 172.29.12.34 587 10.100.20.50 587 detail
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.100.20.0 255.255.255.0 dmz
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2bf97148, priority=11, domain=permit, deny=true
hits=79960, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=dmz810, output_ifc=any
Result:
input-interface: dmz810
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
But the interface dmz810 has a level higher than the interface dmz. Rule in ACL for dmz810 did not help.
What is the reason?
Best Answer
I have seen this countless times when one configures explicit ACL's on interfaces.
By default, if there exist exactly zero access control lists, the ASA will freely PERMIT all traffic from higher security levels to lower levels. However, as soon as you add any explicit rules that apply to an interface, an implicit DENY rule is added at the end of the ACL. Furthermore, this implicit rule is NOT shown when performing a
show access-list
command. ASDM will show the implicit rule but the CLI, by default, does not.While a great concept, in theory, to simply use security levels and avoid the additional complexity of using ACL's on the filtering engine, in reality most everyone needs to have more granular control of the traffic.
In your instance, examine if you actually need any ACL's for filtering traffic or if you can simply utilize the security levels to make the traffic filering decisions for you. If you don't need explicit ACL's, delete them. The traffic should then flow from higher to lower security level interfacesª. If you need your ACL, add a rule permitting traffic from 172.29.12.32/29 to 10.100.20.0/24 and vice versa. Below is an example of how to do so.
— or —
Please review the following commands and comments to ensure you get the expected behavior. The first pertains to same-security-levels and the second to traffic amongst zones:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Please note: if you do not enable one, or both, of these settings, the default action will be to DENY all traffic inter- or intra-interface, amongst all interfaces of the same security level.
Many people I have helped out with an ASA are under the mis-impression that traffic is, by default, PERMITTED within the same security level.
Of course, you'd have to change the security level of dmz810, which defeats the purpose of your question.
Hope this helps.
b Wording directly from inline help on the CLI of an ASA5585-x v9.1, emphasis added.