Hi Marc,
Yes, you are right on the implicit deny on the ACL. Perhaps my statement
was not very clear the first time.
What I meant to say is that when ACL's are present on the interfaces (*
typically* on the lower security level, outside/dmz), then traffic is
subjected to these ACL's when it comes in via those interfaces. When
traffic comes in via a higher security level that has no ACL, then it will
be allowed back in even if the ACL on the exit interface does not allow
this - this is implicitly done because of the firewall inspection rule
(higher->lower flow).
But I agree with you, if there is an explicit deny on the ACL on any
interface, then yes, the firewall shall drop that traffic.
I think we are both saying the same thing. Right?
Thanks,
Sadiq
On Wed, Jul 11, 2012 at 6:06 PM, marc edwards <renorider_at_gmail.com> wrote:
> And the more I think about it. It is due to implicit deny that comes with
> the ACL.
>
> Marc
>
>
> On Wed, Jul 11, 2012 at 10:05 AM, marc edwards <renorider_at_gmail.com>wrote:
>
>> Sadiq,
>>
>> With my experiences, if the interface has ACLS it won't pass traffic to
>> lower zones but I will defer to expert to confirm. Thanks for pointing out
>> for clarification.
>>
>> Regards,
>>
>> Marc
>>
>>
>> On Wed, Jul 11, 2012 at 10:00 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>>
>>> Thats all right Marc. One point to add; even with access-lists, the
>>> security levels are infact used, but the ACL's will take precedence. This
>>> means for traffic streams that dont have entries in the ACL, the security
>>> levels' rules can permit (or otherwise) the traffic.
>>>
>>> Right?
>>>
>>>
>>> On Wed, Jul 11, 2012 at 5:50 PM, marc edwards <renorider_at_gmail.com>wrote:
>>>
>>>> Is this an ASA? If so by default the secruity zones only allow higher to
>>>> lower access and inside is always higher than DMZ
>>>>
>>>> You can change this behavior either leveling the zones (not the best
>>>> idea
>>>> for DMZ) or creating access-lists. When entering access lists keep in
>>>> mind
>>>> that security levels will no longer be used.
>>>>
>>>> HTH
>>>>
>>>> Marc
>>>>
>>>> On Wed, Jul 11, 2012 at 7:59 AM, sameer inam <i_sameer_at_hotmail.com>
>>>> wrote:
>>>>
>>>> > Gents ,
>>>> > Need some help , I m trying to access from DMZ to inside it wont
>>>> work
>>>> > form
>>>> > some reason but other way Inside to DMZ working fine , Can any one
>>>> give me
>>>> > some kind of Document or idea ,
>>>> > It will be much appreciated
>>>> > Thanks in advance
>>>> > Sameer
>>>> >
>>>> >
>>>> > Blogs and organic groups at http://www.ccie.net
>>>> >
>>>> >
>>>> _______________________________________________________________________
>>>> > Subscription information may be found at:
>>>> > http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> CCIEx2 (R&S|Sec) #19963
>>>
>>
>>
>
-- CCIEx2 (R&S|Sec) #19963 Blogs and organic groups at http://www.ccie.netReceived on Wed Jul 11 2012 - 19:14:48 ART
This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART