A friend of mine has recently done some ASA lab and found that he could not access the ESXi server located on the inside interface. His computer was on the outside interface. So I told him to use access-group myacl in interface outside and it should 100% worked. He told me this did not work… I was puzzled basically this was my expression >> o_O”
So he requested me to do a test using the above setup as shown in the diagram. He suspected traffic flowing from security level 0 to 100 might be denied even the ACL was applied. I thought how could this be possible, the default behaviour was indeed implicit deny for traffic from lower to higher security level but if an ACL was in place this behaviour should be override.
Nevertheless I promised to do a setup as shown.
Let’s see the result:
My laptop was on the outside interface got an ip address 192.168.10.11 from the dhcpd. The NAS on the inside interface got an ip address 192.168.100.10 from the dhcpd.
I guess his real problem is he did not no shutdown the physical switch interface of ASA5505, I have told him before that the physical interfaces were shutdown by default, you might have seen lights when you attached a cable and the interface vlan status is up up but the physical interfaces were all shutdown actually. Use show run int e0/0 (or other interface id) to verify.
access-list outside->inside extended permit tcp object-group outside-network object-group pub-servers object-group pub-services log access-group outside->inside in interface outside interface Vlan10 nameif outside security-level 0 ip address 192.168.10.1 255.255.255.0 interface Vlan100 nameif inside security-level 100 ip address 192.168.100.1 255.255.255.0 interface Ethernet0/0 switchport access vlan 10 interface Ethernet0/1 switchport access vlan 100
Default interface is shutdown even if you see lights on your switch
asa-1(config)# sh run int e0/3 ! interface Ethernet0/3 shutdown