Re: DMZ security Issue from marc edwards on 2012-07-11 (Ccielab archives 07/2012)

From: marc edwards <renorider_at_gmail.com>
Date: Wed, 11 Jul 2012 10:06:11 -0700

And the more I think about it. It is due to implicit deny that comes with
the ACL.

Marc

On Wed, Jul 11, 2012 at 10:05 AM, marc edwards <renorider_at_gmail.com> wrote:

> Sadiq,
>
> With my experiences, if the interface has ACLS it won't pass traffic to
> lower zones but I will defer to expert to confirm. Thanks for pointing out
> for clarification.
>
> Regards,
>
> Marc
>
>
> On Wed, Jul 11, 2012 at 10:00 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>
>> Thats all right Marc. One point to add; even with access-lists, the
>> security levels are infact used, but the ACL's will take precedence. This
>> means for traffic streams that dont have entries in the ACL, the security
>> levels' rules can permit (or otherwise) the traffic.
>>
>> Right?
>>
>>
>> On Wed, Jul 11, 2012 at 5:50 PM, marc edwards <renorider_at_gmail.com>wrote:
>>
>>> Is this an ASA? If so by default the secruity zones only allow higher to
>>> lower access and inside is always higher than DMZ
>>>
>>> You can change this behavior either leveling the zones (not the best idea
>>> for DMZ) or creating access-lists. When entering access lists keep in
>>> mind
>>> that security levels will no longer be used.
>>>
>>> HTH
>>>
>>> Marc
>>>
>>> On Wed, Jul 11, 2012 at 7:59 AM, sameer inam <i_sameer_at_hotmail.com>
>>> wrote:
>>>
>>> > Gents ,
>>> > Need some help , I m trying to access from DMZ to inside it wont work
>>> > form
>>> > some reason but other way Inside to DMZ working fine , Can any one
>>> give me
>>> > some kind of Document or idea ,
>>> > It will be much appreciated
>>> > Thanks in advance
>>> > Sameer
>>> >
>>> >
>>> > Blogs and organic groups at http://www.ccie.net
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> CCIEx2 (R&S|Sec) #19963

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 11 2012 - 10:06:11 ART

This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART