Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1


ASA 101 13 years 3 weeks ago #21813

I wanted to clear up a few basic concepts of the ASA:

It has been said (in my ASA book) that:

Before connections can form between firewall interfaces, two conditions must be met: 1) An address translation policy MUST be configured between a pair of interfaces. 2) A security policy must be configured to allow the connection to initiate toward the destination, usually in the form of an access list applied to a firewall interface.

It has also been said that:

2) Outbound connections from a higher security interface to a lower one are allowed, provided that they are permitted by any access lists that are applied to the firewall interfaces. 2) All inbound connections from a lower security interface to a higher one are blocked.

1) Why do I need an ACL permitting traffic from a high-security interface to a lower one if the traffic is permitted (as previously stated)? How is this any different from a low-security interface to a high-security interface? Wouldn't I need an ACL in either case?

2) In order to communicate between interfaces, do I always need a n address translation policy? If so, is the book speaking of NAT and PAT?

3) In summation, for any communication, I need a NAT/PAT statement and an ACL allowing the flow of traffic?

4) When do I not need an ACL or an address translation policy.

5) If traffic is permitted from a higher-security interface to a lower-security interface, does this include return traffic? (because this is a stateful firewall.)

I think I am confusing some of the basic concepts. Please shed some light. Thanks!

Re: ASA 101 13 years 2 weeks ago #21825

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1390
  • Karma: 1
  • Thank you received: 0
Hi there,

I will try and shed some light (well this is my understanding);

You don't need an access-list from a High to Low, this is allowed by default. You will need an access list from Low to High however. This is one of the Pix/ASA security mechanisms to try and secure them. Also, you don't necessarily need to configure NAT. If you are using Nat-Control then you obviously do need to configure NAT (And from a low to high you need to configure a Static Translation) but if you turn off Nat-Control then Natting isn't required.

In summary;

High to Low - Traffic will flow (if NAT is configured correctly, if you are using Nat)
Low to High - Will need an access-list (and a Static if you are using Nat)
Nat - Only if you are using Nat-Control
Routing - If you are not using Nat-Control then the appliance will route the traffic.
Wayne Murphy Team Member

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit or PM me for details.
  • Page:
  • 1
Time to create page: 0.106 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup