It did change in 8.0. Not sure which version but an IP acl is no longer necessary from higher to lower traffic.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Saturday, May 22, 2010 12:07 PM To: Piotr Matusiak Cc: [email protected] Subject: Re: [OSL | CCIE_Security] ASA transparent firewall Indeed I have configured IP address else the ASA won't pass the traffic right? I think, we should be in the par with what Cisco says. Only ARP is allowed and others need access-list to be allowed across. BTW, I observed BPDU also moving freely across without ACL. With regards Kings On Sat, May 22, 2010 at 6:10 PM, Piotr Matusiak <[email protected]> wrote: As far as I know you need ACL in transparent mode only to allow m-cast traffic. Unicast packets should pass freely from higher to lower security level. Make sure you have IP address assigned to the box. HTH, Piotr 2010/5/22 Kingsley Charles <[email protected]> The behaviour that I have mentioned is not consistent. If anyone has seen this, please do let me know. With regards Kings On Sat, May 22, 2010 at 4:18 PM, Kingsley Charles <[email protected]> wrote: Hi all I am using 8.0(4) in ASA and the mode is transparent firewall. For IP traffic to pass from higher security to lower security, I have no access-list configured. It just behaves like routed mode ASA. Any idea, when did this change happen? Earlier, we needed access-list to be configured even from higher to lower security level. With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
