No, you are not.
Marc said "implicit", you said "explicit".
Marc says "ACL will render sec level useless", you say it will be used.
I would say Marc is right, but a simple test would confirm.
Any ACL in the path of the initiating packet will define the fate of the
connection. The ACL will rule. If you happen to have two ACLs in the
path, then both should permit the packet for the connection to be permitted.
-Carlos
Sadiq Yakasai @ 11/07/2012 15:14 -0300 dixit:
> Hi Marc,
>
> Yes, you are right on the implicit deny on the ACL. Perhaps my statement
> was not very clear the first time.
>
> What I meant to say is that when ACL's are present on the interfaces (*
> typically* on the lower security level, outside/dmz), then traffic is
> subjected to these ACL's when it comes in via those interfaces. When
> traffic comes in via a higher security level that has no ACL, then it will
> be allowed back in even if the ACL on the exit interface does not allow
> this - this is implicitly done because of the firewall inspection rule
> (higher->lower flow).
>
> But I agree with you, if there is an explicit deny on the ACL on any
> interface, then yes, the firewall shall drop that traffic.
>
> I think we are both saying the same thing. Right?
>
> Thanks,
> Sadiq
>
> On Wed, Jul 11, 2012 at 6:06 PM, marc edwards <renorider_at_gmail.com> wrote:
>
>> And the more I think about it. It is due to implicit deny that comes with
>> the ACL.
>>
>> Marc
>>
>>
>> On Wed, Jul 11, 2012 at 10:05 AM, marc edwards <renorider_at_gmail.com>wrote:
>>
>>> Sadiq,
>>>
>>> With my experiences, if the interface has ACLS it won't pass traffic to
>>> lower zones but I will defer to expert to confirm. Thanks for pointing out
>>> for clarification.
>>>
>>> Regards,
>>>
>>> Marc
>>>
>>>
>>> On Wed, Jul 11, 2012 at 10:00 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>>>
>>>> Thats all right Marc. One point to add; even with access-lists, the
>>>> security levels are infact used, but the ACL's will take precedence. This
>>>> means for traffic streams that dont have entries in the ACL, the security
>>>> levels' rules can permit (or otherwise) the traffic.
>>>>
>>>> Right?
>>>>
>>>>
>>>> On Wed, Jul 11, 2012 at 5:50 PM, marc edwards <renorider_at_gmail.com>wrote:
>>>>
>>>>> Is this an ASA? If so by default the secruity zones only allow higher to
>>>>> lower access and inside is always higher than DMZ
>>>>>
>>>>> You can change this behavior either leveling the zones (not the best
>>>>> idea
>>>>> for DMZ) or creating access-lists. When entering access lists keep in
>>>>> mind
>>>>> that security levels will no longer be used.
>>>>>
>>>>> HTH
>>>>>
>>>>> Marc
>>>>>
>>>>> On Wed, Jul 11, 2012 at 7:59 AM, sameer inam <i_sameer_at_hotmail.com>
>>>>> wrote:
>>>>>
>>>>>> Gents ,
>>>>>> Need some help , I m trying to access from DMZ to inside it wont
>>>>> work
>>>>>> form
>>>>>> some reason but other way Inside to DMZ working fine , Can any one
>>>>> give me
>>>>>> some kind of Document or idea ,
>>>>>> It will be much appreciated
>>>>>> Thanks in advance
>>>>>> Sameer
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>>
>>>>> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> CCIEx2 (R&S|Sec) #19963
>>>>
>>>
>>>
>>
>
>
-- Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina Blogs and organic groups at http://www.ccie.netReceived on Wed Jul 11 2012 - 15:52:21 ART
This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART