ASA Question?

Howdy folks,

I have a question in regards the ASA 5505. I totally understand the concept from higher to lower level, but I noticed something interesting while I was doing something at work today. Traffic from my inside could see my web server located in my DMZ via local IP address. For example source local IP (MyPC 192.168.1.50) was able to establish tcp session towards my Apache server addressed to 192.168.50.50.  I thought once you've created level of security none of them interface should communicate unless you have an access-rule such as NAT or ACCESS-LIST in placed. Please let me know if im wrong.

 Also, I have no routing nor access-list, just basic simple configuration, I just noticed it after mistakenly typed an IP address.

INSIDE 100
OUTSIDE 0
DMZ 50

Thanks you!
LVL 9
Hemil AquinoNetwork Security EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SouljaSr.Net.EngCommented:
By default higher level can communicate to lower security level. Once you place an ACL then that rule goes out the window. So above. INSIDE can talk to OUTSIDE and DMZ. Lower Level can't talk to higher level by default.
Hemil AquinoNetwork Security EngineerAuthor Commented:
Hi Soulja,

Thank you for your reply, so it is normal that my INSIDE network can communicate with the port 80 DMZ cause higher to lower?
Other than that I cannot ping nor do anything which is fine.

My question to you is, by default does ASA send traffic from a higher level towards DMZ opening a tcp communication to connect to web server port 80?

Thank you!
SouljaSr.Net.EngCommented:
Yes, by default traffic is allowed from higher level to DMZ. The only difference from dmz and outside is that usually dmz has a higher security level than outside, but less than inside. Inside traffic can flow to both cause of the higher security level.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.